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ABSTRACT 

This  thesis  introduces  a  program  that  analyzes  network  protocols  using  the 
Communicating  Finite  State  Machines  (CFSM)  model  and  the  System  of  Communicating 
Machines  (SCM)  model.  A  simple,  two  machine  implementation  of  CFSM  model  is 
initially  explored.  A  number  of  simple  protocols  are  demonstrated  as  a  means  to  validate 
the  automated  tool  (program). 

The  second  model  implemented  is  that  of  the  SCM  model.  The  SCM  tool  uses  many 
of  the  same  data  structures  designed  in  the  CFSM  program .  The  SCM  program  is  validated 
with  an  analysis  of  widely  used  data  link  protocols. 

Both  programs  were  done  in  the  Ada  language  environment. 
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I.  INTRODUCTION 


simulations  are  set  up  to  answer  the  question,  what  if.. 


-Hamming,  R.  W.,  Future  Engineering  Practice 
Course  Notes,  1 1  May  92. 


A.   BACKGROUND 

The  past  ten  years  have  seen  an  substantial  increase  in  the  need  to  communicate 
quickly  and  reliably  over  long  distances  using  a  wide  range  of  architectures.  We,  the  users, 
live  in  a  'come  as  you  are'  digital  society.  Access  to  some  sort  of  network  is  needed  to  move 
information  from  user  to  user.  This  movement  of  information  takes  place  on  many 
networks  (voice,  message,  data)  and  at  many  levels  (physical,  data  link,  network,  and 
higher).  The  networks  in  use  today  tend  to  be  a  heterogeneous  mix  of  equipment  and 
protocols.  We,  the  network  designers/engineers,  must  allow  the  user  access  to  the  available 
resources  at  the  lowest  cost.  To  do  this  a  firm  understanding  of  how  machines  'handshake' 
and  talk  to  one  another  must  be  realized.  This  is  accomplish  by  applying  protocol  design 
principles.  These  principles  can  be  applied  to  protocols  and  studied  using  a  wide  range  of 
Formal  Description  Techniques  (FDT's).  Examples  of  existing  FDT's  will  be  reviewed  and 
the  need  for  an  automated  set  of  tools  will  also  be  explored. 

The  need  for  machines  to  be  able  to  communicate  is  inherent  in  any  heterogenous 
environment.  Machines  do  this  through  the  use  of  standardized  protocols.  A  protocol  is  a 
set  of  rules  that  govern  the  interaction  of  concurrent  processes  in  distributed  systems. 
Another  widely  used  definition  of  a  protocol  is,  a  set  of  rules  used  for  communication 
between  two  or  more  processes  connected  by  a  communication  network.  Hand  in  hand, 
protocol  design  and  analysis  is  an  important  consideration  in  operating  systems,  computer 
networks,  and  data  communications.  For  a  protocol  designer/architect  to  build  an 
appropriate  specification,  he  must  use  one  of  a  number  of  modeling  techniques. 


Models  or  FDT's  of  protocols  arc  used  for  many  purposes.  They  are  used  to  describe 
the  protocol  unambiguously  so  that  the  exact  operation  is  understood  by  both  the  protocol 
designer,  implementer  and  user.  A  model  is  also  used  to  provide  a  formal  framework  for  a 
rigorous  analysis  of  the  protocol  specification.  With  the  advent  of  internetworking  and  the 
birth  of  Integrated  Services  Digital  Network  (ISDN),  computer  protocols  have  become 
more  and  more  complex.  The  designer  must  now  develop  large  sets  of  rules  for  information 
exchange  that  is  logically  consistent  and  efficiently  implemented.  To  design  a  new  protocol 
or  to  implement  an  existing  one  into  a  computing  environment  gives  rise  to  a  need  for  such 
a  tool. 

There  are  many  formal  models  available  to  protocol  architects.  Some  of  the  more 
common  models  include  Petri  Nets,  Communicating  Processes,  Communicating  Finite 
State  Machines  (CFSM),  System  of  Communicating  Machines  (SCM),  the  Language  of 
Temporal  Ordering  Specifications  (LOTOS),  Specification  and  Description  Language 
(SDL),  and  Extended  State  Transition  Model  Language  (ESTELLJE).  LOTOS  and 
ESTELLE  are  formal  description  techniques  developed  by  the  International  Organization 
for  Standardization  (ISO)  working  laterally  with  the  International  Telephone  and 
Telephone  Consultative  Committee  (CCITT). 

The  ISO  is  a  standards  publishing  body  including  the  American  National  Standards 
Institute  (ANSI).  In  1980,  the  ISO  saw  the  advantages  of  standardizing  a  hierarchy  of 
protocol  services  as  a  reference  model  for  protocol  designers.  The  model  includes  seven 
layers:  physical,  data  link,  network,  transport,  session,  presentation,  and  application.  The 
layer/class  of  protocols  that  will  be  analyzed  in  this  thesis  are  the  data  link  layer  protocols. 

Each  of  the  models  that  will  be  discussed  have  a  means  to  amplify  design  principles 
of  communications  systemsfBART  87].  The  first  principle  is  for  a  model  to  reflect  the 
behavior  of  the  protocol.  Behavior  is  modeled  using  conformance  models,  an  example 
found  in  [RAND  92].  Secondly,  the  model  must  allow  refinement  by  the  user.  Safety  and 
lively  properties  should  be  proven  true.  And  the  last  principles  that  must  be  supported  are 


those  of  concurrency  and  nondeterminism.  A  good  overview  is  found  in  King's 
article[KING91]. 

The  need  for  a  variety  of  models  is  apparent  when  it  is  considered  that  the  interaction 
between  machines  occurs  at  different  levels  in  the  OSI  structure  and  that  behavior  can  be 
quite  different  among  levels  and  machines.  The  models  listed  above  will  be  reviewed  in  the 
following  section.  Most  of  the  models  have  a  means  to  informally  follow  the  design 
principles.  Upon  close  inspection  of  each  FDT  it  is  apparent  that  no  one  is  perfect  for  all 
applications.  As  such,  an  automated  tool  will  be  presented  that  will  make  the  use  of  two 
models  (CFSM  and  SCM).  The  intuitive  feel  of  each  protocols  coupled  with  the  power  of 
automating  such  a  such  models  will  enable  the  user  to  fully  enjoy  the  important  design 
principle  of  refinement. 

B.  OBJECTIVES 

The  objective  of  this  thesis  is  to  present  a  means  of  automating  two  powerful  models 
of  protocol  validation  and  analysis.  The  first  that  was  to  be  automated  is  the  CFSM  model. 
The  data  structures  and  program  entities  were  developed  and  verified.  The  second  tool 
automated  is  the  SCM  model.  Although  the  SCM  used  many  of  the  underlying  data 
structures  and  logic  of  the  CFSM,  the  SCM  model  is  much  more  elegant  and  much  more 
complex.  The  output  information  is  provided  to  the  user  in  an  intuitive  format.  Once  the 
two  models  were  fully  functional,  test  cases  were  input  to  the  models  to  verify  the 
functionality.  Finally,  a  select  number  of  existing  protocols  were  input  and  the  analysis 
compared  to  previous  research  using  a  manual  method. 

C.  SCOPE 

This  thesis  presents  automated  implementation  of  both  the  CFSM  and  SCM  models. 
The  implementation  of  each  model  was  limited  to  two  machine  protocols.  The 
specifications  covered  in  this  thesis  lend  themselves  very  well  to  the  simulation  or 
automated  analysis. 


The  unboundedness  properties  of  CFSM  channels  are  obviously  limited  to  the 
hardware  that  the  tool  is  run  on.  A  channel  can  have  a  bound  the  size  of  the  largest  machine 
register,  in  the  case  of  the  test  runs,  a  SUN  SPARC  station,  the  upper  bound  was  that  of  the 
largest  integer(4.294967  x  109  items). 

An  analysis  of  select  data  link  protocols  are  included  to  illustrate  the  use  of  the  CFSM 
and  SCM  automated  models.  The  specifications  will  only  address  procedural  rules,  not 
formatting  of  messages. 

D.      ORGANIZATION 

This  thesis  is  organized  into  three  sections.  The  first  section  includes  Chapters  II  and 
HI.  Chapters  II  and  HI  give  background  information  of  pertinent  models  and  language 
considerations.  The  next  section,  Chapters  IV  and  V,  give  a  detailed  description  of  how  the 
code  was  implemented  to  reflect  the  behavior  of  the  two  models.  The  final  section,  Chapter 
VI,  describes  the  specifications  of  Alternating  Bit,  Go_Back_N,  and  Selective  Repeat 
network  protocols.  It  also  describes  how  the  user  inputs  the  information  into  and  receives 
output  from  the  tool.  A  means  for  validating  each  automated  model  is  discussed  in  this 
chapter.  Finally,  Chapter  VII  includes  conclusions  made  based  on  the  thesis  work  and 
recommendations  for  future  work  in  the  area. 


n.  BACKGROUND  OF  MODELS 

A.      GENERAL 

This  section  contains  an  overview  of  some  existing  FDT's.  Each  model  is  a  different 
way  to  represent  a  protocol  design  or  reflect  network  behavior.  Each  has  its  own  inherent 
advantages  and  disadvantages,  of  which  must  be  considered  before  application.  Two 
models  listed  (ESTELLE  and  LOTOS)  are  automated. 

The  first  method  of  description  is  Petri  Nets.  Petri  Nets  are  a  graphical  representation 
of  a  systems's  states  and  state  changes.  The  possible  states  are  captured  using  places  which 
can  hold  tokens,  A  particular  state  is  represented  by  a  movement  of  tokens  to  states.  State 
changes  are  described  using  transitions.  This  can  be  visualized  as  being  similar  to  a  directed 
graph.  The  input  and  output  arcs  associated  with  each  transition  determine  how  token 
placement  changes.  The  behavior  of  a  system  can  be  determined  by  examining  token 
movement  within  the  net.  Deadlock  and  freedom  of  livelock  are  examined  in  this  model. 
The  complexity  of  Petri  Net  representation  increases  with  the  size  of  the  protocol  being 
modeled.  A  major  consideration  for  using  this  model  is  the  intuitive  feel  of  a  protocol  is  lost 
on  the  complex  cases. 

Another  class  of  FDT  are  models  is  called  "communicating  processes."  The  following 
description  is  more  closely  examined  in  Lundy's  article[LUND  92b].  The  elimination  of  a 
set  of  global  states  is  done  through  the  use  of  invariants.  Rather  than  generating  the  set  of 
all  possible  states,  and  inspecting  them  to  be  sure  no  undesirable  state  exists,  an  assertion 
is  made.  The  assertion  states  the  desired  property.  It  is  proven  that  the  protocol  always 
satisfies  the  assertion,  this  must  be  proven  without  having  to  compute  all  the  possible  states 
which  might  be  reached.  The  communication  between  processes  takes  place  between 
unbounded  FIFO  queues.  Processes  are  emulated  by  use  of  variables  and  statements.  The 
execution  of  an  action  is  an  atomic  event  and  no  two  actions  may  occur  simultaneously. 
Since  communication  between  processes  can  only  occur  using  FIFO  queues,  actions  may 


only  follow  a  given  sequence.  The  SCM  model  demonstrates  how  this  is  characteristic  is 
overcome. 

Extended  State  Transition  Model  Language  (ESTELLE)  can  describe  a  system  in 
terms  of  a  set  of  communicating  extended  finite  state  machines  through  use  of  FIFO 
channels,  similar  the  to  definition  of  CFSM.  This  model  describes  the  protocols  as  a 
collection  of  modules,  each  module  is  an  extended  FSM  having  memory-the  difference 
between  an  CFSM  and  Estelle  model  is  that  the  CFSM  model  has  no  memory.  Modules  of 
an  entity  can  communicate  through  FIFO  channels[SARI  91].  Messages  are  exchanged 
between  entities  as  parameters  to  the  modules.  Estelle  is  bajed  on  Pascal  and  the  extension 
of  the  language  is  a  feature  available  to  the  programmer/user.  The  models  automated  in  this 
thesis  are  similar  to  Estelle,  however,  data  representation  is  implemented  differently  and 
the  power  of  the  language  implemented  (ADA)  is  utilized-ESTELLE  also  allows  dynamic 
module  creation/destruction  and  transition  priorities.  A  model  implementation 
consideration  is  ESTELLE  cannot  adequately  represent  broadcast  channels,  a  shortcoming 
that  the  SCM  model  has  shown  very  well  suited  for,  such  as  CMSA/CD  analysis  [LUND 
91a]. 

Specification  and  Description  Language  was  designed  and  implemented  by  groups 
SGXI  and  SGX  of  the  CCITT.  It  was  meant  as  a  tool  for  the  design  and  specification  of 
telephone  switches  and  their  underlying  protocols.  Currently  there  are  two  versions  of 
SDL;  a  graphical  tool  and  a  text  program  tool.  Processes  are  represented  by  flowcharts, 
which  could  be  concurrent  to  other  processes.  The  eight  traditional  flowchart  symbols 
represent  atomic  actions  such  as  internal  events,  input  and  output,  boolean  expressions, 
wait  conditions,  statements,  transitions,  and  connectors  Each  flowchart-  has  an  associated 
channel  (queue)  used  to  process  messages.The  Holzman  text  [HOLZ  91]  includes  a  more 
specific  definition  of  SDL  with  some  examples.  One  advantage  to  this  approach  is  the  user 
gets  a  feel,  graphically,  of  the  behavior  of  the  protocol.  The  process  execution  is  somewhat 
restricted  to  the  properties  that  a  FIFO  queue  has. 


The  ISO  language  of  Temporal  Ordering  Specifications  (LOTOS)  is  means  of 
representation  using  hierarchically  structured  processes.  As  with  ESTELLE,  LOTOS  was 
also  developed  by  the  ISO.  A  hierarchy  of  processes  can  correspond  to  one  entity [SIST  91]; 
a  concept  that  is  reflected  in  object-oriented  design  environments.  Systems  represented 
using  this  model  are  organized  using  a  set  of  interacting  processes  which  exchange 
information  with  each  other  and  with  the  external  systems  environment  through  gates. 
LOTOS  is  a  superset  language  consisting  of  an  abstract  data  type  language  and  an  algebraic 
notation  language,  both  of  which  uphold  good  design  principles  covered  earlier.  Interaction 
is  synchronous  through  gates  that  have  a  one-to-one  mapping  to  interaction  points. 

The  tool  implemented  in  this  thesis  uses  the  technique  of  representing  portions  of 
machine  behavior  as  abstract  data  types,  as  demonstrated  using.  A  technique  of  interpreting 
machine  behavior  through  use  of  finite  state  machine  representation,  as  with  ESTELLE, 
will  also  be  integrated  into  the  design.  Plans  for  future  upgrade  of  this  tool  include  a 
graphical  interface  similar  to  that  of  SDL. 

B.      COMMUNICATING  FINITE  STATE  MACHINES 

One  of  the  first  manual  tools  used  for  analyzing  communication  protocol  behavior  was 
the  communicating  finite  state  machine(CFSM)  model.  This  modeled  each  machine  in  the 
network  as  a  finite  automaton,  or  finite  state  machine,  with  communication  channels 
between  pairs  of  machines  modeled  as  one-way,  infinite  length  FIFO  queues.  There  has 
been  a  great  deal  of  work  in  this  area,  a  few  include  [PENG  91],  [VUON  83]  and  [RUDI 
83].  The  model  is  defined  for  an  arbitrary  number  of  machines;  however  for  simplicity  sake 
will  be  presented  as  a  two  machine  model  as  shown  in  Figure  1. 


Machine  1 

^wwwwwwvra 

Machine  2 

5000000000000000 
WJWWWWWW, 

x>scooooooooooo<y 

Figure  1:  CFSM,  two  machine  behavior  representation 


In  this  section  the  CFSM  model  will  be  defined  [GOUD  83]followed  by  a  simple 
protocol  analysis  to  illustrate  the  model. 

A  communicating  machine  M  is  a  finite,  directed  labeled  graph  with  two  types  of 
edges,  sending  edges  and  receiving  edges.  A  sending  (receiving)  edge  is  labeled  '-g'  ('+g') 
for  some  message  g,  taken  from  a  finite  set  G  of  messages.  One  of  the  nodes  in  M  is 
identified  as  the  initial  node,  and  each  node  is  reachable  from  the  initial  node  by  some 
directed  path.  A  node  in  M  whose  outgoing  edges  are  all  sending  {receiving)  edges  is  a 
sending  (receiving)  node;  otherwise  the  node  is  mixed  node.  If  the  outgoing  edges  of  each 
node  in  M  have  distinct  labels  then  M  is  deterministic;  otherwise  M  is  nondeterministic.  The 
nodes  of  M  are  often  referred  to  as  states;  the  two  terms  are  used  interchangeably. 

Let  M  and  N  be  two  communicating  machines  having  the  same  set  G  of  messages;  the 
pair  (A/^V)  is  a  network.  A  global  state  of  this  network  is  a  four-tuple  [m,cm,cn,n]  where  m 
and  n  are  nodes  (states)  from  M  and  Nt  and  cm  and  cn  are  strings  from  the  set  G  of  messages. 
Intuitively,  the  global  state  [m,cm,cn,n]  means  that  the  machines  M  and  N  have  reached 
states  m  and  n,  and  the  communication  channels  contain  the  strings  cm  and  cn  of  messages. 
Channel  cm  contains  the  messages  sent  from  M  and  N,  and  channel  cn  the  messages  sent 
from  N  to  M.  The  string  q  will  be  referred  to  as  channel  c(-. 

The  initial  global  state  of  (A///)  is  [m0,E,E,n0],  where  m0  an  n0  are  the  initial  states  of 
M  and  N,  and  E  is  the  empty  string. 

The  network  progresses  as  transitions  are  taken  in  either  M  or  N.  Each  transition 
consists  of  a  state  change  in  one  of  the  machines,  and  either  the  addition  of  a  message  to 
the  end  of  one  channel  (sending  transition)  or  the  deletion  of  a  message  from  the  front  of 
one  channel  (receiving  transition). 

A  sending  transition  in  M(N)  adds  a  message  to  the  end  of  channel  cm(cn);  a  receiving 
transition  in  M(N)  removes  a  message  from  the  front  of  channel  cn(cm). 

If  s i=[m,Ci,Cj,n]  is  a  global  state  of  (MJV),  and  state  S2  follows  S]  if  there  is  a  transition 
(in  M  or  N)  which  can  be  executed  in  sj,  such  that  the  resulting  state  is  S2-  A  state  S2  is 
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reachable  from  state  Sj  if  there  is  a  sequence  of  states  SiJi+j,...fSi+„  such  that  si  follows  sj, 
Si+j  follows  Si,  and  so  on,  and  S2  follows  Si+p.  A  state  s  is  reachable  if  it  is  reachable  from 
the  initial  state. 

The  communication  of  a  network  (MJf)  is  bounded  if,  for  every  reachable  state 
[m,cm,cn,n]  there  is  a  nonnegative  integer  k  such  that  |cj  <,k  and  |cj  £*,  where  kt  denotes 
the  number  of  messages  in  channel  c. 

A  reachability  graph  of  a  network  (A/^V)  is  a  directed  graph  in  which  the  nodes 
correspond  to  the  reachable  global  states  of  (A///),  and  the  edges  represent  the  follows 
function,  such  that  there  is  an  edge  from  state  S(  to  state  Sj,  if  and  only  if,  si  follows  s,-.  The 
edges  are  labeled  with  the  transition  which  they  represent  The  reachability  graph  can  be 
generated  by  starting  with  the  initial  state,  and  adding  the  states  which  follow  it,  connecting 
them  to  it  with  edges;  2nd  repeating  for  each  new  state  generated.An  overview  of  the 
functional  units  of  the  CFSM  model  is  shown  in  Figure  1. 


Machine  1 


Machine  2 


Global 

Reachability 

Analysis 


Figure  2:  CFSM  model  representation. 

A  global  state  [m,cm,cn,n]  is  a  deadlock  state  if  both  m  and  n  are  receiving  nodes,  and 
cm=cn=E,  where  E  denotes  the  empty  string. 

A  global  state  [mXm.c^n]  is  an  unspecified  reception  state  if  one  of  the  following  two 
conditions  are  true; 


(1)  m  is  a  receiving  state,  the  message  at  the  head  of  channel  cn  is  g,  and  none  of  MS 
outgoing  transitions  is  labeled  '+g.' 

(2)  n  is  a  receiving  state,  the  message  at  the  head  of  channel  cm  is  g,  and  none  of  n's 

outgoing  transitions  is  labeled  *+g.4 

A  simplified  version  of  the  stop-and-wait  data  link  protocol  will  be  analyzed  as  an 
example  of  analysis  with  the  CFSM  model.  The  interfaces  between  layer  6  (user)and  layer 
2  (data  link)  of  the  Open  Systems  Interconnection  (OSI)  model  is  transparent  in  all  the 
examples  addressed  in  this  thesis.  An  assumption  is  made  that  the  higher  layer  has  passed 
the  information/frames  without  error.  The  frames  at  each  layer  have  accomplished  the 
appropriate  concatenation  of  header  and  address  information.  So,  at  layer  2,  this  protocol 
consists  of  two  distinct  entities,  a  sender  and  a  receiver.  Machine  one  serves  as  the  sender 
and  machine  2  serves  as  the  receiver  as  shown  in  Figure  3.  The  sender  places  a  frame  on 
the  channel  to  the  receiver.  The  receiver  senses  a  frame  on  the  incoming  channel  and 
accepts  the  message  from  the  channel,  removing  the  message  from  the  incoming  channel. 
The  receiver  then  sends  an  acknowledgment  packet  to  the  sender.  The  sender  senses  the 
acknowledgment  packet  and  is  clear  to  send  another  frame  of  information  to  the  receiver. 


-D 


Figure  3:  CFSM  specification  for  stop-and-wait. 

The  finite  state  machines  in  Figure  3  represent  the  behavior  of  the  definition  of  the 
stop-and-wait  protocol.  The  -D  represents  sending  data,  +D,  receiving  data,  -A,  send 
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acknowledgment,  and  +A,  receive  acknowledge.  As  per  the  definition  of  the  CFSM  model, 
there  is  two  channels,  one  from  machine  1  to  machine  2  and  one  from  machine  2  to  machine 
1.  The  notch  on  state  1  of  both  machines  represents  the  initial/starting  state. 

The  global  reachability  analysis  graph  shown  in  Figure  4  is  free  from  deadlock, 
unspecified  receptions,  and  unexecuted  transitions. 


[0,E,E,0] 
-D 


I 


1,D,E,0] 
+D 


[1,E„E,1] 
-A 


1 


[1,E,A,0] 

I  +A 


Figure  4:  CFSM,  global  reachability  analysis,  stop-and-wait. 

This  model  has  many  desirable  features  as  well  as  some  disadvantages  that  are 
improved  in  the  SCM  model.  The  one  glaring  disadvantage  is  that  the  analysis  might  not 
terminate  if  the  queue  length  is  unbounded.  The  number  of  global  states  in  Figure  4  is 
trivial,  but  for  complex  specifications  the  number  of  states  will  lead  to  a  combinatorial  state 
explosion.  This  is  even  true  when  the  queue  length  is  very  restrictive.  As  pointed  out  in 
[LUND  91b],  the  specification  of  a  practical  protocol  can  be  so  complex,  containing 
hundreds  of  states  and  transitions,  that  the  user  can  not  be  sure  of  the  intended  specification 
or  grasp  the  intuitive  feel  for  what  the  protocol  is  intended  to  do.  This  model  has  the 
advantage  of  simplicity  and  a  method  of  analysis  that  can  be  easily  automated. 
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C.      SYSTEM  OF  COMMUNICATING  MACHINES 

In  this  section  the  model  used  to  specify  and  analyze  protocols  is  briefly  described  A 
more  detailed  description  appears  in  [LUND  91a]  .  Following  the  definition  of  the  model 
will  be  an  analysis  of  a  simple  protocol  to  illustrate  the  model. 

A  system  of  communicating  machines  is  an  ordered  pair  C  =  (M,V),  where 

M-{mi,m2,.../nn} 
is  a  finite  set  of  machines,  and 

V=(v7,v2,...vn} 

is  a  finite  set  of  shared  variables,  with  two  designated  subsets  /?,•  and  W^  specified  for  each 
Machine  m,\  The  subset  /?,  of  V  is  called  the  set  of  read  access  variables  for  Machine  mv 
and  the  subset  W^  the  set  of  write  access  variables  for  m$. 

Each  Machine  mz-  £  M  is  defined  by  a  tuple  (Si,SQ,Li^/i,Xi),  where 

(1)  Si  is  a  finite  set  of  states; 

(2)  sq  £  5,  is  a  designated  state  called  the  initial  state  of  m,v 

(3)  L,-  is  a  finite  set  of  local  variables; 

(4)  Nz-  is  a  finite  set  of  names,  each  of  which  is  associated  with  a  unique  pair  (p,a), 
where  p  is  a  predicate  on  the  variables  of  Li  u  Ri  and  a  is  an  action  on  the  variables  of 

Li  u  Ri  u  Wi 

(5)  X,-:  Si  x  Ni  ->  Si  is  a  transition  function,  which  is  a  partial  function  from  the  states 
and  names  of  m,-  to  the  states  of  mx-. 

Machines  model  the  entities,  which  in  a  protocol  system  are  processes  and  channels. 
The  shared  variables  are  the  means  of  communication  between  the  machines.  Intuitively, 
Ri  and  Wt  are  the  subsets  of  V  to  which  m,-  has  read  and  write  access,  respectively.  A 
machine  is  allowed  to  make  a  transition  from  one  state  to  another  when  the  predicate 
associated  with  the  name  for  that  transition  is  true.  Upon  taking  the  transition,  the  action 
associated  with  that  name  is  executed. 
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The  set  L,  of  local  variables  specifies  a  name  and  a  range  for  each.  The  range  must  be 

a  finite  or  countable  set  of  values. 

A  system  state  tuple  is  a  tuple  of  all  machine  states.  That  is,  if  (M,V)  is  a  system  of  n 
communicating  machines,  and  sit  for  1  <  i  <  n,  is  the  state  of  Machine  m,-,  then  the  n-tuple 
(Sj,S2,...*s^)  is  the  system  state  tuple  of  (M,V). 

A  system  state  is  a  system  state  tuple  together  with  its  enabled  outgoing  transitions. 
Two  system  states  arc  equivalent  if  every  machine  is  in  the  same  state,  and  the  same 
outgoing  transitions  are  enabled. 

The  initial  system  state  is  the  system  state  such  that  every  machine  is  in  its  initial  state, 
and  the  enabled  outgoing  transitions  are  the  same  as  in  the  initial  global  state. 

The  global  state  of  a  system  consists  of  the  system  state,  plus  the  values  of  all 
variables,  both  local  and  shared.  The  initial  global  state  is  the  initial  system  state,  with  the 
additional  requirement  that  all  variables  have  their  initial  values.  A  global  state 
corresponds  to  a  system  state  if  every  machine  is  in  the  same  state  and  the  same  outgoing 
transitions  are  enabled. 

Let  T(j/,n)  =  52  be  a  transition  which  is  defined  on  Machine  m,-.  Transition  X  is 

enabled  if  the  enabling  predicate  p,  associated  with  name  n,  is  true.  Transition  T  may  be 
executed  whenever  m,-  is  in  state  sj  and  the  predicate  p  is  true  (enabled).  The  execution  of 

T  is  an  atomic  action,  in  which  both  the  state  change  and  the  action  a  associated  with  n 
occur  simultaneously.  The  format  for  the  associated  predicate-action  table  is  shown  in 
Table  1. 
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GLOBAL  VARIABLE 


Machine  1 

local  variable 


Machine  2 

local  variable 


Figure  5:  SCM,  two  machine  behavior  representation. 
TABLE  1 :  SCM,  two  machine  predicate-action  table  format. 


Transition 

Enabling  Predicate 

Action 

Transitions 
for  Machine  1 

Values  of  variables  that  must 
hold  true  for  the  transition  to  be 
enabled. 

The  local  and  GLOBAL  variable 
behavior  when  the  transition  is 
taken. 

Transitions 
for  Machine  2 

Same  as  above. 

Same  as  above. 

Note  that  if  the  values  of  all  variables  are  restricted  to  some  finite  range,  then  the 
model  can  be  reduced  to  a  simple  finite  state  machine.  Otherwise  an  infinite  number  of 
global  states  are  possible.  However,  even  if  the  number  of  global  states  is  infinite,  the 
number  of  system  states  is  finite,  because  of  the  finiteness  of  each  machine.  This  may  allow 
a  reachability  analysis  on  the  system  states,  when  a  reachability  analysis  on  the  global  states 
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is  infinite.  General  behavior  of  the  SCM  model  is  shown  in  Figure  1  and  the  general  SCM 
model  representation  is  found  in  Figure  1. 
Machine  1 


FSM 


Machine  2 


FSM 


Predicate 

Action 

Table 


SCM 
Model 


Global 

Reachability 

Analysis 


System 

Reachability 

Analysis 


Figure  6:  SCM,  general  model  representation 

The  stop-and-wait  protocol  will  also  be  used  to  demonstrate  the  analysis  using  the 
SCM  model.  The  stop-and-wait  protocol  specification  is  the  same  as  defined  in  the  previous 
section.  The  specification  as  represented  by  the  SCM  model  is  shown  as  a  set  of  finite  state 
machines  and  a  predicate-action  table. 

The  finite  state  machine  representation  for  the  SCM  model  is  similar  to  the  CFSM 
example.  Again  this  protocol  is  only  demonstrated  with  two  machines.  The  FSM's  are 
shown  in  Figure  3.  Also  shown  are  the  local  and  global  variables.  The  local  variables  in 
Machine  1  and  2  can  have  the  values  of  D(data),  A  (acknowledgment),  and  E(empty).  The 
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initial  value  for  out_buff  is  D  and  the  initial  values  for  all  other  variables  is  E.  The  system 
global  variable,  CHAN  can  have  the  same  values  as  the  local  variables. 


out  buff 


CHAN 


RET 


in  buff 


Figure  7:  SCM  specification  for  stop-and-wait,  finite  state  machines  and  variable 

definitions. 

The  predicate-action  table  is  shown  in  Table  2.  For  this  example  the  assumption  is 
made  that  data  is  always  made  available  to  the  CHAN  from  outjbuff. 

TABLE  2:  SCM  specification  for  stop_and_wait,  predicate  action  table. 


Transition 

Enabling  Predicate 

Action 

-D 

CHAN  =  E  A 
out_buff/=  E 

CHAN  :=  out_buff 

+A 

RET  =  A 

RET  :=  E 
CHAN  ;=  E 

+D 

CHAN  /=  E 

in_buff:=CHAN 

-A 

true 

RET:=A 
in_buff  .=  e; 
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The  global  state  reachability  and  system  state  reachability  graphs  are  found  in  Figure 
4  and  Figure  4.  The  format  for  the  global  state  tuple  of  the  stop-and-wait  protocol  is: 
[  Machine  l_state,  out_buff,  CHAN,  RET,  in_buff,  Machine2_state  ] 


[0,d,E,E,e,0] 

r 

[l,d,D,E,e,0] 

l+D 

[l,d,D,E,d,l] 
-A 

T 

[l,d,D,A,d,0] 
l+A 


Figure  8:  SCM,  global  reachability  analysis,  stop-and-wait. 

The  format  for  a  system  state  tuple  for  all  cases  of  analysis  is: 

[  Machine  l_state,  Machine2_state  ] 


[0,0] 
[1,0] 

r 

tun 

-A 

[1,0] 
I  +A 


Figure  9:  SCM,  system  reachability  analysis,  stop-and-wait. 
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The  SCM  model  has  desirable  properties  found  in  the  CFSM  model  as  well  as 
overcoming  some  of  the  inherent  disadvantages  of  the  CFSM  model.  In  the  SCM  model  the 
behavior  of  the  protocol  can  be  clearly  and  quite  adequately  represented,  maintaining  an 
intuitive  feel  of  the  specification.  The  SCM  model  can  ameliorate  the  combinatorial  state 
explosion  through  the  use  of  system  state  analysis,  gready  reducing  the  generated  states. 
Instead  of  implicit  queues,  shared  variables  are  used  for  communications  between 
processes.  This  allows  communications  between  machines  in  non  sequential  manner, 
unlike  a  FIFO  queue  representation  in  the  CFSM  model. 

The  final  advantage  is  the  nature  of  the  SCM's  representation  of  a  protocol  gives  it 
the  feel  of  a  programming  language.  Although  more  complex  to  program  than  a  CFSM 
model,  the  actions  associated  with  the  FSM  and  the  predicate-action  table  lend  themselves 
to  automated  implementation. 

D.      LANGUAGE  CONSIDERATIONS 

Which  language  should  the  CFSM  and  SCM  models  would  be  implemented  in? 
Before  all  the  available  languages  were  researched,  a  list  of  desirable  properties  that  the 
language  must  have  (specific  to  the  models),  was  developed.  After  a  close  inspection  of  the 
definition  and  nuances  of  the  CFSM  model,  SCM  model,  and  the  reachability  analysis 
generated,  there  were  a  number  of  language  properties  that  were  found  desirable  to  this 
project. 

The  language  properties  should  support  hardware  and  software  design  issues.  The 
code  must  be  portable  from  one  architecture  to  another.  The  language  should  have  a  means 
to  create  different  class  instances  from  a  base  class.  An  intuitive  means  to  provide 
meaningful  output  of  the  analysis  and  programming  error  messages  to  the  user  enhances 
the  program's  utility.  Since  the  program  must  simulate  network  specifications  there  is  an 
inherent  need  to  be  able  to  do  multiprocessing  or  multitasking  in  the  programming 
environment.  The  language  of  choice  should  enforce  the  rules  of  strong  typing,  that  is  not 
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allowing  mixing  of  types  and  subtypes.  The  final  property  of  the  language  should  be  its  ease 
of  use  and  understandibility. 

The  language  of  choice  should  be  portable  between  different  machines.  It  cannot  be 
assumed  that  the  user  has  access  to  a  mainframe  computer  or  workstation.  The  language 
should  be  compilable  on  a  machine  as  small  as  a  personal  computer. 

Implementation  of  the  models  should  help  the  user  to  avoid  and  detect  mistakes.  The 
environment  should  prompt  the  user  when  a  syntactical  or  semantic  error  is  made.  The  error 
messages  should  be  meaningful.  Inherent  to  this  requirement,  the  language  should  enforce 
strict  definitions  of  atomic  structures,  such  as  data  structures. 

Dynamic  list  creation  /deletion  are  necessary  in  reachability  graph  construction.  This 
allows  flexible  and  ultimately  limitless  (hardware  specific)  analyses  to  be  done.  Linked  list 
creation  and  traversal  should  make  use  of  reusable  programming  units.  The  logic  for 
creating  new  nodes  should  allow  the  program  to  'remember'  where  the  last  node  was  built. 
This-should  be  done  automatically,  without  user  intervention  after  compile  time. 

An  important  property,  although  subject  to  varying  opinion,  is  ease  of  use.  The  project 
is  developed  in  one  language,  but  the  human  interface  to  the  underlying  code  must  be 
understandable  and  intuitive.  Hand  in  hand  with  ease  of  use,  is  ease  of  maintainability. 
There  should  be  enough  on-line  and  off-line  help  to  allow  the  user  to  navigate  the  the  user 
interface.  An  understandable  debugger  was  also  a  factor  in  the  choice. 

Ada  was  chosen  because  it  supports  the  above  mentioned  properties.  It  is  a  language 
that  is  portable  between  different  architectures.  It  supports  generic  class  creation  and 
instantiation.  Through  the  use  of  predefined  input  and  output  packages,  the  user  is  allowed 
to  build  a  suitable  interface  environment.  With  the  use  of  exception  handling  meaningful 
error  messages  can  be  created  and  employed.  Ada  also  has  the  ability  to  multitask, 
simulating  parallel  processing.  Finally,  Ada  is  easy  to  use.  The  code  can  be  read  by  a  novice 
and  understand  what  is  meant  to  happen. 

The  language  of  C/C++  was  not  chosen  due  to  a  few  limitations.  At  the  time  of  this 
writing  it  could  not  support  multitasking  needed  to  simulate  concurrency  or  broadcast 
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networks.  It  was  also  difficult  to  do  generic-like  coding.  The  object  orientation  of  the 
design  lent  itself  very  nicely  to  the  structures  used  in  the  CFSM  and  SCM  model  as  covered 
in  [RUMB  91].  It  became  apparent  that  there  was  reused  code  that  would  have  been  more 
efficiently  implemented  with  generic  data  structures.  Although  it  could  have  been  done 
with  the  use  of  macro-like  instructions,  generic  packages  made  the  project  more  compact 
and  efficient.  Generic  package  creation  and  instantiation  was  not  supported  by  the  current 
version  of  the  C/C++  compiler.  The  C  programming  environment  does  not  support 
exception  handling;  programming  error  detection  messages  were  vague  and  could  not  be 
developed  by  the  user.  A  good  means  of  automatic  implementation  of  error  messages  in  the 
C++  environment  was  not  available  at  the  time  of  this  publishing.  Ada  could  do  this 
through  use  of  exception  handling. 
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HI.  A  PROGRAM  FOR  GENERATING  A  CFSM  REACHABILITY 

ANALYSIS 


In  this  chapter  the  organization  of  the  CFSM  program  will  be  described.The  means  for 
input,  output,  and  reachability  analysis  will  be  highlighted.  Excerpts  of  the  underlying  code 
will  be  accompanied  by  a  brief  explanation.  The  formal  definition  of  the  CFSM  model 
found  in  Chapter  II  is  the  basis  for  constructing  the  program. 

A.      PROGRAM  STRUCTURE 

The  structure  of  the  CFSM  program  is  based  on  functional  units  (objects)  of  the 
general  CFSM  model.  The  data  structures  of  the  basic  objects  must  represent 
communication  channels,  machine  states,  transitions,  and  a  means  for  capturing  global 
tuple  (state)  values.  In  addition  to  constructing  the  fundamental  data  structures,  there  must 
be  an  intuitive  input  mechanism  for  the  FSM's  and  an  understandable  display  of  the 
analysis. 

Implementation  details  should  be  hidden  from  the  user.  Operations  such  as  loading  the 
CFSM  into  memory,  performing  a  reachability  analysis,  constructing  the  global 
reachability  graph,  and  traversing  the  graph  during  searches/output  are  independent  of  the 
specific  protocol  to  be  analyzed. 

The  program  consists  of  input  related  procedures,  a  reachability  analysis,  and  output 
procedures.  To  help  manage  such  a  complex  and  large  programming  project,  separate 
compilation  units  were  used.  The  compilation  units  were  physically  grouped  by  file 
according  to  the  function  it  performed  as  shown  below: 

TABLE  3:  CFSM  compilation  units. 


Compilation  Unit 

Description 

File 

read_in_file 

parse  text  input  file 

input.a 

load_machine_array    • 

builds  machine  adjacency 
lists  from  parsed  file 

input.a 
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Compilation  Unit 

Description 

File 

build_Gstate_graph 

builds  global  reachability 
analysis  graph 

reachability,  a 

clear_pointers 

clears  values  for  another 
input  file 

reachability,  a 

search_for_tuple 

performs  BFS  search  of 
graph 

search. a 

IsEqual 

compares  global  records 
for  equality  (similar  to  =) 

search,  a 

output_Gstate_node 

format  for  node  output 

output.a 

output_Gstate_transition 

format  for  transition  output 

output.a 

output_Gstates 

traverses  graph  and  outputs 
nodes  and  transitions 

output.a 

output_machine_arrays 

format  output  of  contents 
of  adjacency  lists 

output.a 

create_output_file 

creates  file  for  analysis  out- 
put 

output.a 

This  use  of  separate  subprograms(compilation  units)  facilitated  the  development  of  the 
SCM  program  from  existing  CFSM  code. 

The  behavior  at  run  time  is  shown  in  Figure  10  and  associated  files  of  the  CFSM 
program  are  shown  in  Figure  11. 


Text  File  (FSM's) 


Reachability 
Analysis 


Figure  10:  CFSM  run  time  behavior 
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Generic  Packages 


main  procedure 

MIIMIIIIIIIIIIIIIIIIIIIIIIIII 

cfsm.a 

IIIIIIIIIIIIIIIIIMII Hill 


Separate  Compilation 
Units  (contained  in 
files) 


Figure  1 1 :  CFSM  compilation  units. 

i 

During  the  design  phase  of  the  program  it  became  apparent  that  some  software 
components  and  structures  were  used  more  than  once.  For  instance,  when  doing  a 
reachability  analysis  many  types  of  stacks  and  queues  were  used.  Although  the  underlying 
data  types  were  different,  the  algorithm  for  each  structure  was  exactly  the  same.  To  increase 
efficiency,  generic. packages  were  used.  Generic  units  are  defined  as  a  reusable  software 
module  or  a  program  unit  template  [GONZ  91]. 

The  implementation  of  stacks  and  queues  is  accomplished  using  generics.  For 
instance,  within  the  program  there  is  a  need  for  a  queue  of  characters  representing  the  flow 
of  information  on  the  channels  between  two  machines.  To  assist  in  the  construction  of  the 
reachability  graph  there  needs  to  be  a  queue  of  pointers  to  graph  nodes  (see  Section  C). 
Each  type  of  queue  has  some  common  procedures  and  functions.  Each  needs  procedures  to 
clear  the  queue,  enqueue,  and  dequeue.  Each  must  also  have  functions  that  return  the  value 
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of  the  first  item  of  the  queue,  determine  if  the  queue  is  empty  and  determine  if  the  contents 
of  two  queues  are  equal.  If  these  common  functions  and  procedures  had  to  be  rewritten  with 
a  different  underlying  data  type,  the  number  of  compilation  units  as  well  as  the  object  code 
would  increase;  thus  the  user  would  be  saddled  with  more  'waiting'  time. 

The  protocol  environment  can  be  modified  by  using  generic  parameters.  The  generic 
package,  queues,  has  two  parameters  to  the  object-  the  item  type  and  the  maximum  size  of 
the  queue.  This  allows  the  user  to  define  what  type  of  items  are  contained  in  the 
channel(queue)  and  how  big  the  channel(queue)  can  be.  Two  instantiations  of  queues  in  the 
program  are: 

package  queue_pack  is  new  queues (character,  MAX=>3) ; 

package  Gpointer_queue_pack  is  new  queues (Glink_type,MAX=>10) ; 

The  queue  jpack  package  defines  a  queue  of  characters.  A  ceiling  or  bound  can  be  placed 
on  the  amount  of  messages  on  a  channel.  If  an  unbounded  channel  is  to  be  simulated  the 
maximum  allowable  integer  can  be  given.  The  pointer  queue  Gpointer_queue_pack  gives 
the  user  a  means  to  determine  the  maximum  size  of  a  reachability  graph.  Although,  in  the 
general  case,  a  large  number  is  preferred  to  allow  all  tuples  (states)  to  be  generated  in  a 
protocol  reachability  graph.  The  generic  package  stacks  was  implemented  in  a  similar 
fashion. 

B.      INPUT 

An  important  step  in  designing  the  CFSM  and  SCM  programs  is  developing  a 
meaningful  method  of  inputting  the  finite  state  machines.  The  graphical  representation  of 
a  simple  FSM  conveys  a  behavior  associated  with  a  protocol  specification.  A  means  to 
transfer  this  graph  into  a  data  structure  that  can  be  used  in  the  reachability  analysis  was 
developed. 

The  FSM's  were  input  as  a  text  file.  This  file  is  built  by  the  user  with  a  set  of  language 
rules  similar  to  Backus-Naur  Form  (BNF).  The  input  file  is  parsed  one  line  at  a  time.  Each 
line  is  read  into  a  line  buffer  and  tokens  formed  according  to  the  rules  defined  below.  From 
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the  tokens,  an  internal  data  structure  is  generated  to  represent  the  set  of  finite  state 
machines.  The  list  of  valid  instructions  for  finite  state  machine  input  is: 

start 

machine  <natural> 

state  <natural> 

initial_state  <natural>  <natural> 

trans  <- I +>  <a lb  I . . . I z I A|B | . . . I Z>  <natural> 

finish 

The  tokens  are  cast  into  either  enumerated  types  (instructions)  or  integers  (integer 

variables).  The  integer  variables  have  been  formally  defined  within  the  main  procedure  in 

Appendix  A. 

The  meaning  of  the  instructions  are: 


start  Serves  as  a  beginning  flag  for  the  file. 

machine  Defines  the  current  machine, 

state  Defines  the  current  state. 

initial_state     The  intitial/start  state  for 

machines  one  and  two . 
trans  Transition  type,  transition 

message,  and  next  state. 
,    finish  This  token  serves  as  an  ending  flag  for 

the  file. 

Representation  of  a  finite  state  machine  using  the  above  convention  has  some  inherent 
constraints.  Since  an  input  token,  such  as  the  transition  -D,  cannot  be  directly  caste  into  an 
enumeration  token  (no  special  characters  at  the  beginning  of  a  token),  the  (-,+)  must  be 
converted  separately  to  (snd,rcv)  tokens.  The  use  of  alphabetic  characters  to  represent 
messages  in  a  channel,  limits  messages  to  52  distinct  types  (a..z,A..Z).  The  input  file  for 
stop_and_wait  is: 

start 
machine  1 
state  0 
trans  -D  1 
state  1 
trans  +A  0 
machine  2 
state  0 
trans  +D  1 
state  1 
trans  -A  0 
initial_state  0  0 
finish 
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The  data  structure  representing  the  CFSM  is  then  used  to  construct  a  reachability 
analysis  graph.  The  two  data  structures  that  support  directed  graphs  (or  finite  state 
machines)  are  adjacency  lists  and  adjacency  matrices.  Since  the  use  of  adjacency  matrices 
to  construct  directed  graphs  can  lead  to  wasted  hardware  memory,  adjacency  lists  (one 
dimensional  array  of  linked  lists)  were  implemented. 

The  data  structure  to  build  the  adjacency  list  and  the  constraints  are: 

type  machine_array_record_type; 

type  Mlink_type  is  access  machine_array_record_type; 
type  cfsm_transition_type  is  (snd,  rev, unused) ; 
type  executed_type  is  (yes, no); 
type  machine_array_record_type  is 
record 

transition        :  cf sm_transition_type; 

message  :  character; 

next_state        :  natural; 

executed  :  executed_type; 

Mlink.  :  Mlink_type 

end  record; 

type  machine_array_type  is  array  (positive  rangeO) 

of  Mlink_type; 
type  system_array_type  is  array (1.. 2) 

of  machine_array_type; 

Some  data  structures  shown  above  are  peculiar  to  Ada.  Access  types  are  data  types  that 
provide  an  access  ("pointer")  to  an  object  of  another  type  or  subtype.  It  reserves  storage 
locations  during  the  execution  of  a  program  dynamically  by  use  of  a  memory  allocator.  A 
record  type  is  simply  a  collection  of  elements  where  each  element  is  referred  to  by  its  name. 
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The  array  of  linked  lists  is  defined  as  an  unconstrained  array;  whereas,  at  compile  time,  the 
number  of  machines  is  set  at  two.  To  illustrate  the  finite  state  machine  data  structure  the 
CFSM  stop_and_wait  protocol  is  shown  in  Figure  12. 

Machine  1 


in 


w 

CO 


0 

transition 

snd 

message 

D 

next  state 

1 

w 

executed 

no 

Mlink 

1 

+— 

transition 

rev 

message 

A 

next  state 

0 

executed 

no 

Mlink 



2 

A 

\\ 

w 

M 

Machine  2 


0 

transition 

rev 

message 

D 

next  state 

1 

w 

executed 

no 

Mlink 

1 

A 

transition 

snd 

message 

A 

next  state 

0 

V 

executed 

no 

Mlink 

_ 

2 

|| 

W 

M 

Figure  12:  Finite  State  Machine  representation,  stop_and_wait 

C.      REACHABILITY  ANALYSIS 

In  order  to  determine  if  all  states  in  a  network  are  reachable  a  graph  is  constructed. 
After  the  textual  representation  of  the  CFSM  is  input,  the  adjacency  lists  are  constructed  as 
described  in  the  previous  section.  The  initial  states  for  each  machine  indicate  the  starting 
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position  of  each  list.  From  the  lists  a  directed  graph  is  constructed-  It  is  from  this  directed 
graph  that  deadlocks  and  unspecified  receptions  are  sensed  and  the  appropriate  output 
message  is  displayed. 

The  algorithm  to  construct  the  global  reachability  graph  is: 

loop 

for  machine  I  array  index  in  1  ..rowsize  loop 

ifmachinel  farray  Jndex). transinon^snd  or 
machinel(arr ay  Jndex). message- top _of.queue21  then 
make  temp  G 'state  record 
search  list  for  G  state  record 

if  found  then  link  current  to  found  state 
else  make  new  node  and  link  into  G state _graph 
and  push  pointer  onto  pointer  stack 
else  nonejbund 
end  loop 
for  machine!  array Jndex  in  l..rowsize  loop 

ifmachinel  (array  Jndex).transition=snd  or 
machine2(arr ay  Jndex).  message- top  _of.queuel2  then 
make  temp  G state  record 
search  list  for  Gstate  record 

if  found  then  link  current  to  found  state 
else  make  new  node  and  link  into  Gstate _graph 
and  push  pointer  onto  pointer  stack 
else  nonejound 
end  loop 
if  stack  is  empty  then 

raise  STACK JEMPTY 
else 

pop  last  Gstate 
end  loop 

The  initial  global  state  tuple  (node)  is  created  from  the  starting  state  of  each  machine's 
adjacency  list.  From  the  top  node,  tuples  (global  states)  are  added  to  the  graph  using  the 
reachability  algorithm.  The  algorithm  shows  the  graph  being  constructed  with  stack  based 
implementation,  allowing  a  breadth  first  construct.  The  option  is  given  to  the  user  to 
construct  the  graph  depth  first.  A  case  statement  is  used  to  toggle  between  stack  or  queue 
procedures/functions  (this  is  not  shown  in  the  algorithm  above.)  Figure  13  shows  the 
internal  representation  of  the  global  reachability  graph  for  the  stopjind_wait  protocol 
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Figure  13:  CFSM  internal  reachability  graph,  stop_and_wait 
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Note  that  when  a  tuple  is  generated  a  data  structure  representing  a  transition  and  a  node  are 
separately  added.  The  field  newjtode  was  included  in  the  transition  structure  to  allow 
proper  traversal  of  the  graph.  The  current  version  of  the  program  allows  for  four  transitions 
from  each  tuple.  This  can  be  expanded  upward  if  needed. 

Exception  handlers  were  used  to  maintain  control  in  the  reachability  graph 
construction.  Whenever  a  queue  or  stack  is  empty  the  control  is  handed  to  the  exception 
handler  to  continue  program  execution.  The  exception  handlers  allow  definition  of  specific 
error  conditions  to  be  sensed  and  appropriate  action  taken. 

During  graph  construction,  global  state  tuples  are  identified  that  satisfy  the  deadlock 
and  unspecified  reception  properties.  If  a  global  state  node  has  only  receiving  transitions 
from  it  and  both  the  queues  are  empty,  a  deadlock  message  is  displayed  to  output.  If  the 
global  state  node  has  outgoing  receive  transitions  and  the  head  of  the  respective  queue  does 
not  match  the  receive  transition  (assuming  the  queue(s)  are  not  empty)  then  an  unspecified 
reception  message  is  displayed  to  output.  When  the  construction  of  the  graph  is  complete 
the  adjacency  lists  are  checked  for  any  unexecuted  transitions.  The  contents  of  the  lists  are 
displayed  after  the  output  of  the  graph  is  done.  Unexecuted  transitions  are  identified  by  the 
execution  field,  with  a  no  entry.  For  an  example  see  Figure  15 

Upon  completion  of  the  reachability  graph  construction,  a  pointer  to  the  top  global 
state  node  is  passed  to  the  output  procedure. 

When  constructing  a  reachability  graph  there  are  two  factors  that  need  to  be 
considered-  run  time  and  the  size  of  the  graph  generated.  As  noted  earlier,  a  ceiling  can  be 
placed  on  the  size  of  the  graph  by  the  user  prior  to  compilation.  Ideally,  a  specification  can 
be  input  to  the  program  and  an  analysis  could  run  for  as  long  as  needed  (perhaps  days); 
however,  most  computer  systems  are  limited  by  storage.  The  question  of  storage  capacity 
is  left  to  the  user  of  the  program.  A  determination  must  be  made  as  to  how  large  a  graph  to 
anticipate  (worst  case  is  the  largest  integer  represented  on  the  register)  and  how  much 
storage  space  can  the  underlying  system  provide. 
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The  design  of  the  program  addresses  the  issue  of  running  time.  The  running  time,  or 
complexity,  of  the  reachability  analysis  is  dominated  by  the  algorithm  that  governs  the 
directed  graph  traversal.  All  traversals  are  done  in  both  models  (CFSM  and  SCM)  in  a 
recursive,  depth  first  manner.  The  complexity,  or  big  O  notation,  for  traversals  of  a  directed 
graph  can  easily  be  defined.  Consider  a  reachability  graph  G=(V\£)  consisting  of  a  set  V  of 
vertices(nodes),  and  a  set  E  of  edges(transitions).  Each  edge  corresponds  to  a  pair  of 
distinct  vertices  in  the  directed  graph.  The  running  time  or  complexity  of  such  a  graph 
traversal  is  proven  by  induction  to  be  <9(IV1  +  l£l).  A  rigorous  proof  of  the  complexity 
appears  in  [MANB  89]. 

D.      OUTPUT 

The  output  procedure  for  the  CFSM  tool  displays  the  reachability  graph  and 
associated  messages  to  both  a  text  file  and  the  default  output  device.  The  output  procedure 
has  as  a  parameter  a  pointer  to  the  top  global  state  (node).  From  the  top  node  the  graph  is 
traversed  in  a  depth  first  manner  and  saved  to  an  output  medium.  The  contents  of  the 
adjacency  list  are  also  displayed  to  output  providing  a  means  to  cross  check  the  CFSM 
construction  and  identify  unexecuted  transitions  as  shown  for  stop _and_wait  in  Figure  14. 
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REACHABILITY  ANALYSIS  of  :  stop.and.wait 


i 

[  0  ,  E  ,  E  ,  0  3 

-D 

C  1  ,  D  ,  E  ,  0  3 

2 

2 

C  1  ,  D  ,  E  ,  0  ] 

♦D 

C  1  ,  E  ,  E  ,  1  3 

3 

3 

[  1  ,  E  ,  E  ,  1  3 

-A 

C  1  ,  E  ,  A  ,  0  3 

4 

4 

C  1  ,  E  ,  A  ,  0  3 

♦A 

[  0  ,  E  ,  E  ,  0  3 

1 

Machine  1  Array  Contents 


I  Fro*  I  To  I  Transition  I  Executed  I 

I   0   I   1  I    snd  D   I   yes    I 
I   1   I   0  I    rev  A   I   yes    I 


I  Machine  2  Array  Contents  I 

I  Fro*  I  To  I  Transition  I  Executed  I 

I   0  I   1  I    rev  D   I   yes  I 

I   1  I   0  I     snd  A   I   yes  I 


*  The  nodes  generated  by  the  analysis 
were  done  in  a  breadth  first  manner 


Figure  14:  CFSM,  analysis  output,  stop_and_wait 

To  illustrate  the  formatting  of  the  model's  output  an  example  is  presented.  Assume 
that  a  CFSM  exists  reflected  by  the  following  specification: 


Machine  1 


Machine  2 

+x 


The  input  file  is: 
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start 
machine  1 
state  1 
trans  -D  2 
state  2 
trans  +A  1 
machine  2 
state  1 
trans  +D  2 
state  2 
trans  -A  1 
initial_state  1  1 
finish 

The  output  file  reflecting  deadlock,  unspecified  receptions,  and  unexecuted  transitions 

is  shown  in  Figure  15. 

REACHABILITY  ANALYSIS  of  :  deadlock_exa«ple 
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,  3  3 

♦X    C  2  ,  E  ,  B  ,  1  ]          5 

5 
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B  , 

,  1  ] 

-B    [  2  ,  E  ,  BB  ,  3  ]          G 

6   C  2  ,  E  ,  BB  ,  3  ]    *******  Unspecified  Reception  ****** 


Machine  1  Array  Contents 


I  Frox  I  To  I  Transition  I  Executed  I 

1112  1    snd  X   I   yes    I 
I   2   I   1  I    rev  A   I   no     I 


I  Machine  2  Array  Contents  I 

I  FroK  I  To  I  Transition  I  Executed  I 

I   1  I   3  I    snd  B   I   yes  I 

I   1  I   2  I     rev  X   I   yes  I 

I   2  I   1  I    rev  B   I   no  I 
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*  The  nodes  generated  by  the  analysis 
were  done  in  a  depth  first  manner 


Figure  15:  CFSM,  analysis  output,  deadlock/unspecified  reception/unexecuted  transition 

example. 
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IV.  AN  AUTOMATED  TOOL  FOR  SCM  REACHABILITY 

ANALYSIS 


In  this  chapter,  a  program  is  introduced  that  automates  the  SCM  model .  It  provides 
an  intuitive  environment  to  input  a  protocol  specification  and  receive  the  analysis  in  an 
understandable  format.  Since  the  model  only  uses  variables  and  finite  state  machines  to 
describe  a  protocol's  behavior,  it  is  considered  an  approximate  model.  There  are  certain 
details  of  protocol  design,  such  as  message  and  header  format,  that  are  abstract  from  the 
analysis.  The  succinctness  of  a  protocol  representation  helps  analyze  the  logic  and  structure 
without  getting  lost  in  a  myriad  of  detail. 

The  organization  of  this  program  is  similar  to  that  of  the  CFSM  program.  A  means  for 
input,  output,  global  reachability  analysis,  and  system  reachability  analysis  are  highlighted. 
Excerpts  of  the  code  are  accompanied  by  a  brief  explanation  of  structure  and 
application.The  formal  definition  of  the  SCM  model  found  in  Chapter  II  is  the  basis  for 
constructing  the  program. 
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The  protocol  specification  and  analysis  of  the  stop_and_wait  data  link  protocol  will 

be  used  throughout  this  chapter  to  demonstrate  the  interface  of  the  program  to  the  user.  The 

specification  for  the  sample  protocol  is  shown  in  Figure  16. 

Machine  1  Machine  2 

CHAN 


out  buff 


RET 


in  buff 


xmt 


Transition 

Enabling  Predicate 

Action 

xmt_data 

CHAN  =  E  A 
out_buffl=  E 

CHAN .=  out  buff 

rcv_ack 

RET  =  A 

RET .  =  E 
CHAN  .=  E 

rcvjidta 

CHAN  /=  £ 

in_buff ';=  CHAN 

xmt_ack 

true 

RET  .=  A 
in  buff  :~e; 

Figure  16:  SCM,  specification  for  stop  jmd_wait. 

A.      PROGRAM  STRUCTURE 

The  structure  of  the  SCM  program  is  similar  to  the  CFSM  implementation.  There  must 
be  a  means  for  input,  output,  and  reachability  analysis.  The  input  is  more  complex  because 
not  only  must  the  FSM's  must  be  entered,  but  also  variable  definitions  and  the  associated 
predicate- action  table  as  shown  in  Figure  16.  The  input  can  be  viewed  as  hierarchical.  The 
global  and  system  reachability  analysis  are  performed  using  different  algorithms  and  are 
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described  in  later  sections.  The  code  for  producing  output  is  identical  to  the  CFSM  program 
with  some  addition  to  allow  the  user  to  tailor  variable  output. 


Text  File  (FSM's) 


Global  and  System 
Reachability  Analysis 


Variable  Definitions 


Predicate-Action 


Figure  17:  SCM  run  time  behavior. 

The  program,  written  in  Ada,  consists  of  packages,  procedures,  and  functions  that 
make  up  the  basic  structure  mentioned  above.  A  package  specifies  a  group  of  logically 
related  entities,  such  as  types,  and  objects  of  those  types  as  defined  in  [GONZ  91]  and 
[SKAN  88].  The  procedures  and  function  that  were  subject  to  change/updates  were  also 
treated  as  separate  compilation  units.  To  give  a  'feel'  for  the  different  components  of  the 
program,  the  separate  compilation  units  and  the  files  that  contain  them  are  shown  in  Table 
4. 

TABLE  4:  SCM  compilation  units. 


Compilation  Unit 

Description 

File 

read_in_file 

parses  text  input  file 

input.a 

load_machine_array 

builds  machine  adjacency 
lists  form  parsed  file 

input.a 

build_Gstate_graph 

builds  global  reachability 
analysis  graph 

global_reachability.a 
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Compilation  Unit 

Description 

File 

clear_pointers 

! 

clears  the  values  for 
another  input  file 

global_eachability.a 

search_for_Gtuple 

performs  BFS  search  of 
global  reachabililty  graph 

global_search.a 

IsEqual 

compares  global  records 
and  associated  transitions 
for  equality 

global_search.a 

build_S  state_graph 

builds  system  reachability 
analysis  graph 

system_reachability.a 

search_for_S  tuple 

perfoms  BFS  search  of 
graph 

system_search.a 

IsSysStateEqual 

compares  system  records 
and  associated  transitions 
for  equality 

system_search.a 

output_Gstate_node 

format  for  node  output 

global_output.a 

output_Gstate_transition 

format  for  transition  output 

global_output.a 

output_Gstates 

traverses  graph  and  outputs 
nodes  and  transitions 

global_output.a 

output_machine_arrays 

format  output  of  contents 
of  adjacency  lists 

global_output.a 

output_S  state_node 

format  for  node  output 

system_output.a 

output_Sstate_transition 

format  for  transition  output 

system_output.a 

output_S  states 

traverses  graph  and  outputs 
nodes  and  transitions 

system_output.a 

output_Gtuple 

format  global  record  for 
output 

user_output.a 

variable_definitions 

user  defined  protocol  vari- 
ables 

user_definitions.a 

Analyze_Predicates 

performs  analysis  of  predi- 
cates and  determines  which 
transitions  are  enabled 

predicate_ac  tion .  a 
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Compilation  Unit 

Description 

File 

Action 

• 

changes  the  global  and 
local  variables  based  on  the 
transition  executed 

predicate_action.a 

The  user  has  access  to  the  last  three  files  shown  in  Table  4.  The  variable  definition  package, 
Predicate  _Analy sis  function,  and  Action  procedure  contained  in  these  files  are  modified  by 
the  user  to  reflect  the  specific  protocol  to  be  analyzed.  Formats  for  each  unit  will  be 
outlined  in  Sections  B,  C,  and  D.  The  other  files  and  procedures  will  remain  hidden  from 
the  user  because  they  are  independent  of  any  protocol  to  be  analyzed.  Figure  18  shows  the 
files  and  generic  units  used  at  compilation  time. 


main  procedure 


Generic  Units 


Separate 

Compilation 

Units 


predicate_action.a 

user_definitions.a 

global_ 
output.a 

system_ 
output.a 

n 

global_ 
search.a 

system_ 
search.a 

global_ 
reachability.a 

system_ 
reachabillity.a 

Figure  18:  SCM  compilation  units. 
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B.      INPUT 

An  intuitive  and  understandable  means  to  input  a  specification  is  helpful  in  any 
protocol  analysis  program.  A  protocol  specification  is  divided  into  shared  and  local 
variable  definitions,  predicate-action  table  representation,  and  finite  state  machine  storage 
structure. 

The  different  parts  to  each  specification  to  be  analyzed  must  be  input  in  a  certain  order. 
The  definition  package,  Analyze JPredicate  function,  and  Action  procedure  must  be 
constructed  and  compiled  before  the  program  is  executed.  When  the  program  is  executed 
the  user  then  inputs  the  FSM  text  file  and  obtains  the  reachability  analysis.  Since  the 
compilation  of  the  program  depends  on  the  variables  in  the  definition  package,  this  package 
is  written  and  compiled  first.  This  is  a  technique  to  verify  variable  definition  correctness  in 
the  Ada  environment.  Once  the  definitions  package  is  compiled  the  Analyze  predicate 
function  and  Action  procedure  can  then  be  compiled  This  step-wise  refinement  facilitates 
error  free  specification  representation. 

At  any  point  in  execution  of  the  program  the  status  of  all  variables  is  kept  in  the  global 
state  record.  Each  node  in  the  global  reachability  graph  has  a  copy  of  this  record.  Within 
the  main  procedure  a  global  state  record  is  declared  as 

type  Gstate_record_type   is 
record 

machinel_state  :    machinel_state_type; 

machine2_state  :    machine2_state_type; 

global_variables       :    global_variable_type; 
end  record; 

Having  the  machine  and  global  types  defined  in  a  separate  package  ensures  that  only  select 
pieces  of  code  can  be  modified  by  the  user.  The  definitions  package  contains  the 
machine  1  _state_type,  machine! _state _type,  and  global _variable_type  declarations;  thus 
this  package  must  be  compiled  first. 

The  order  that  each  input  category  is  covered  in  this  chapter  reflects  order  that  the 
protocol  specification  should  be  constructed  and  compiled. 
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1.     Protocol  Variable  Definitions 

The  user  defines  the  protocol  environment  variables  in  the  definitions  package. 
Variables  can  either  be  local  to  a  specific  machine  or  global  to  the  system.  The  global 
variables  are  considered  shared  and  allow  communication  between  the  machines  in  the 
system.  The  local  variables  are  only  visible  to  the  machine  that  they  are  defined  for.  A 
discrete  variable  can  be  one  of  the  many  Ada  defined  types  such  as: 


integer 

natural 

character 

array 

digit 

boolean 

record 

access 

These  types  variables,  or  their  subtypes,  can  be  used  to  define  protocol 
environment 

A  template  for  the  definitions  package  is  illustrated  in  Figure  19.  The  shaded 
areas  of  the  figure  are  where  the  variables  of  the  protocol  are  inserted.  All  other  code  should 
remain  unchanged.  Additional  type  declarations  should  be  placed  before  the  machine  type 
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declarations.  The  statejiumber  of  each  machine  is  initialized  to  one  even  though  this 

maybe  different  based  on  the  FSM  text  file  is  input  (the  initial  state  is  explicitly  given.) 

^  FSM  transition  labels 

package  definitions   is  f 

type   scm_transition_type  is    (       ||||r^  ^^     )  ; 

.^.protocol  dependent  types 

type  machinel_state_type  is 
record 

state   number    :    natural    :=   1; 


end  record; 


lachine  1  local  variables 


type  machine2_state_type  is 
record 

state  number  :  natural  :■  1; 


20. 


end  record; 

type  global_variable_type  is 
record 


end  record; 
end  definitions; 


lachine  2  local  variables 


;lobal  (shared)  variables 


Figure  19:  SCM,  definitions  package  template. 
The  variable  declarations  for  the  stop_and_wait  protocol  arershown  in   Figure 


package  definitions  is 

type  scm_transition_type  is 

type  buffer__type  is  (d,e,a); 


(snd_data,  rcv_data, 
snd  ack,  rev  ack) ; 


type  machinel  state  type 

is 

record 

state  number 

:  natural 

:  = 

1; 

out  buff 

:  buffer  type 

:  = 

d; 

end  record; 

type  machine2  state  type 

is 

record 

state  number 

:  natural 

:  = 

1; 

in__buff 

:  buffer_type 

:  = 

e; 

end  record; 


41 


type  global_variable_type  is 
record 

CHAN   :  buffer_type      :=  E; 
RET    :  buffer_type      :=  E; 

end  record; 

end  definitions; 

Figure  20:  SCM,  definitions  package,  stop_and_wait. 

The  transitions  are  represented  as  xmtjdata,  xmt_ack,  rcvjdata,  and  rcv_ack 
instead  of -D,  -A,  +D,  and  +A.  Machine  one  has  a  local  variable  that  serves  as  an  out-bound 
buffer  (outjbuff).  It  is  initialized  with  data  present  in  the  buffer,  represented  by  ld\  The 
only  machine  that  sees  the  variable  contents  is  Machine  one.  Machine  two  is  similar  in  that 
it  has  a  buffer  for  receiving  (injbuff)  data  from  the  channel.  The  global  variables  are  the 
shared  variables  channel  (CHAN)  and  a  return  link  (RET).  Both  variables  are  initialized 
empty  and  can  be  accessed  by  each  machine.  The  values  that  CHAN,  RET,  injbuff,  and 
out_buff  can  have  are  defined  as  a  buffer  jype.  The  buffer  jype  variables  can  have  the 
values  e  (empty),  d  (data),  or  a  (acknowledgement).  The  stop_and_wait  protocol  example 
shows  how  easily  variables  can  be  represented.  All  the  text  in  bold  lettering  are  user  defined 
variables  and  types. 

2.      Predicate-Action  Table  Representation 

The  predicate-action  table  serves  as  the  engine  to  the  analysis.  The  enabling 
predicate  defines  the  logic  that  must  hold  true  for  the  transition  to  be  taken  (refer  to  Table 
1).  Local  and  global  variables  must  meet  these  conditions.  A  number  of  transitions  could 
be  enabled,  but,  for  a  transition  to  be  executed  the  state  of  the  machine  must  be  considered. 
The  action  column  of  the  predicate- action  table  identifies  the  variable  changes  that  must 
take  place  when  the  transition  is  executed.  The  program  captures  the  essence  of  the 
predicate-action  table  by  breaking  the  components  of  the  table  into  subprograms.  A 
subprogram  in  the  Ada  environment  is  a  function,  procedure,  or  package.  Since  the  user 
must  have  access  to  a  number  of  the  subprograms  they  are  represented  as  separate 
compilation  units. 
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The  first  subprogram  is  the  Analyze  predicate  function.  A  function  is  a 

subprogram  that  returns  a  value  to  the  location  in  which  it  was  invoked.  It  can  only  have 

input  parameters.The  function  is  handed  the  machine  local  variables  and  the  system  global 

variables  as  input  parameters.  Since  more  than  one  transition  could  be  enabled,  a  stack  is 

used  to  place  all  transitions  that  are  enabled.  A  transition  is  pushed  onto  the  stack  if  it  is 

enabled  and  the  function  returns  the  entire  transition  _stacL  From  the  transition _stack 

values  and  a  pointer  to  the  current  state  in  machine  adjacency  matrix,  a  determination  is 

made    on    which    transition    can    actually    be    executed.    There    are    a    number   of 

Analyze  predicate    functions,    one     for    each    machine.     The     template     for    the 

Analyze  J*  redicate  function  is  shown  in  Figure  21. 

separate  (main) 

function  Analyze_Predicates_Machinel (local  :  machinel_state_type; 

GLOBAL:  global_variable_type) 
return  transition_stack_package. stack  is 


begin 


MakeEmpty(transition_stack)  ; ^  enabling  condition 


if    (   11111  nil    )    then 

Push  (transition_stack,    |MMfffi*pggg^^   )'" 

,    .  ^"^  enabled  transition 

return  transition_stack; 

end  Analyze  Predicates  Machinel; 


Figure  21:  SCM,  Analyze  predicate  function  template. 

Once  a  transition  is  executed,  changes  must  be  made  to  some  or  all  the  variables. 
A  procedure  using  a  case  statement  was  the  simplest  way  to  make  the  changes  to  the  global 
state  record.  The  Action  procedure  has  three  parameters:  the  transition  that  is  executed  and 
the  current  global  state  record  are  in  parameters,  and  the  updated  global  state  record  is  the 
out  parameter.  The  transition  is  passed  into  the  procedure  and  a  case  statement  determines 
which  series  of  instructions  are  to  be  executed.  These  instructions  make  the  appropriate 
changes  to  the  protocol  environment  variables.  The  out _sy stem _state  is  handed  out  of  the 
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procedure  containing  the  changed  protocol  variables.  The  template  for  the  Action 
procedure  is  shown  in  Figure  22. 


separate  (main) 

procedure  Action (   in_system_state 

in_transition 
out_system_state 

begin 

case  (in  transition)  is 


when  ( 


in  Gstate_record_type; 
in  scm_transition_type; 
out  Gstate_record_type)  is 

*.  enabled  transition 


_  »•  action  taken 

when  others  => 

put_line ("Error  in  the  Action  procedure"); 
end  case; 
end  Action; 


Figure  22:  SCM,  Action  procedure  template 

The  three  subprograms  that  reflect  the  logic  of  the  predicate-action  table  are 
grouped  together  in  one  file  (predicate_action.a).  The  file  for  the  stop_and_wait  protocol 
is: 

separate  (main) 

function  Analyze_Predicates_Machinel  (local  :  machinel_state_type; 

GLOBAL:  global_variable_type) 
return  trans it ion_stack_package . stack  is 
begin 

MakeEmpty (transition  stack); 

if  (  (local. outjbuff  7=  e)  and  (GLOBAL. CHAN  =  E))  then 

Push  (transition_stack,  annt_data)  ; 
end  if; 
if  (GLOBAL. RET  =  A)  then 

Push  (transition_stack,  rcv_acJc)  ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machinel; 

separate  (main) 

function  Analyze_Predicates_Machine2 (local  :  machine2_state_type; 

GLOBAL:  global_variable_type) 

return  transition_stack_package . stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL.  CHAN  /=  E)  and  ( local .  injbuff  =  e)  )  then 
Push (transition_stack, rcv_data) ; 

end  if; 

Push  (trans ition_stack,  3ant_ack)  ; 

return  transition_stack; 
end  Analyze_Predicates_Machine2; separate  (main) 

separate  (main) 


44 


procedure  Action (in   system_state  :    in  Gstate_record_type; 

Tn_transition  :    in  scm_transition_type; 

out_system_state      :    out  Gstate_record_type)    is 
begin 

case    (in_transition)    is 
when    (aoot_data)    => 

out_sy3tem_state . GL0BAL_VARIABLES . CHAN    : = 
in_3ystem_state  .machinel_state .  out_buf  f  ; 
when    (rcv_ack)    => 

out_system_state . GLOBAL_VARIABLES  . RET    :=  E; 
out_sy3tem__state . GLOBAL_VARIABLES  . CHAN    :=  E; 
out_ayatem_3tate.machixie2__state.in__buff    :=  e; 
when    (aont_ack)    => 

out_sy3tem_state .  GLOBAL_VARIABLES  .  RET    :=  A; 
when    (rcv_data)    => 

out_3y3tem_3t ate . machine2_state .  in_buf f    :  = 
in_3ystem_state .  GLOBAL__VARIABLES  .  CHAN; 
when  others  => 

put_line ("Error  in  the  Action  procedure"); 
end  case; 
end  Action; 

Figure  23:  SCM,  analyze_predicate.a,  stop_and_wait. 

The  bold  text  in  the  code  indicates  what  the  user  provided  as  input  to  define  the 
specification  shown  in  the  stop_and_wait  predicate-action  table  (See  Figure  16.) 

3.     Finite  State  Machines 

The  FSM's  are  input  as  a  text  file  during  program  execution.  This  file  is  built  by 
the  user  with  a  set  of  language  rules  similar  to  the  Backus-Naur  Form  (BNF)  shown  in 
Chapter  in.  The  only  change  to  the  format  of  the  input  is  the  transition  (trans)  lines.  In  the 
GFSM  model  only  send  and  receive  transitions  were  allowed;  whereas  in  the  SCM  model 
a  transition  can  have  any  label  that  follows  the  enumeration  rules.  The  lines  of  the  text  file 
are  buffered  and  parsed.  From  the  parsed  line  groups  of  strings  called  tokens  are 
manipulated  as  described  in  Chapter  III.  The  list  of  valid  instructions  for  finite  state 
machine  input  is: 

start 

machine  <natural> 

state  <natural> 

initial_state  <natural>  <natural> 

trans  <enumeration_literal>  <natural> 

finish 
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The  tokens  are  cast  into  either  enumerated  types  (instructions)  or  integers  (integer 
variables).  The  integer  variables  have  been  formally  defined  within  the  main  procedure  in 
Appendix  B.  The  meaning  of  the  instructions  are  found  in  Figure  24. 

start  Serves   as   a  beginning  flag  for  the   file, 

machine  Defines  the  current  machine, 

state  Defines  the  current  state. 

initial_state  The  intitial/start  state  for 

machines  one  and  two. 
trans  Transition  type  and  next  state, 

finish  This   token  serves   as  an  ending  flag  for 

the  file. 

Figure  24:  Input  File  definitions. 

Representation  of  a  finite  state  machine  using  the  above  convention  has  some 

inherent  constraints.  Rules  for  constructing  enumeration  literals  must  be  followed.  For 

instance,  the  list  of  values  in  an  enumeration  literal  can  only  be  character  literals  and  cannot 

contain  a  digit  in  the  first  position.  The  input  file  for  stop_and_wait  is  shown  in  Figure  25: 

start 

machine  1 

state  0 

trans  xmt_data  1 

state  1 

trans  rcv_ack  0 

machine  2 

state  0 

trans  rcv_data  1 

state  1 

trans  xmt_ack  0 

initial_state  0  0 

finish 

Figure  25:  SCM,  Input  File,  stop_and_wait. 

A  data  structure  that  contributes  to  the  reachability  analysis  is  the  FSM  adjacency 
list.  The  adjacency  list  was  chosen  as  the  structure  to  represent  the  directed  graph  of  the 
finite  state  machines. 

The  actual  data  structure  to  build  the  adjacency  list  and  the  defined  constraints 


are: 


type  machine_array_record_type; 

type  Mlink_type  is  access  machine_array_record_type; 
type  executed_type  is  (yes, no); 
type  machine_array_record_type  is 
record 

transition         :  scm_transition_type; 
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next_state  :  natural; 

executed  :  executed_type; 

Mlink  :  Mlink_type 
end  record; 

type  machine_array_type  is  array  (positive  rangeO) 

of  Mlink_type; 
type  sy3tem_array_type  is  array(1..2) 

of  machine_array_type; 

The  internal  representation  of  the  FSM  adjacency  lists  are  the  same  as  Figure  12 
except  the  SCM  adjacency  lists  do  not  have  a  message  field. 

C.      REACHABILITY  ANALYSIS 

The  process  of  generating  the  set  of  all  states  reachable  from  the  initial  state  is  called 
state  reachability  analysis.  During  the  reachability  analysis  a  check  for  deadlock, 
unspecified  reception,  and  unexecuted  transitions  are  done.  The  reachability  analysis  of  a 
specific  protocol  is  done  in  two  phases. 

The  first  is  to  generate  a  global  state  reachability  graph.  This  analysis  constructs  a 
graph,  whose  nodes  are  the  reachable  global  states,  and  whose  arcs  indicate  the  transitions 
leading  from  each  global  state  to  another.  The  global  state  (node)  contains  the  state  of  each 
machine  and  the  values  of  all  the  variables. 

The  second  phase  of  the  analysis  is  to  generate  an  separate  system  state  reachability 
graph  from  the  global  state  reachability  graph.  The  system  reachability  graph  contains 
nodes  with  just  the  state  information  of  each  machine.  The  rules  for  the  generation  of  new 
states  will  be  discussed  in  Section  2. 

1.     Global  State  Analysis 

The  process  of  generating  the  set  of  all  global  states  reachable  from  the  initial 
global  state  is  called  global  state  analysis.  This  analysis  produces  a  graph,  whose  nodes  are 
the  reachable  global  states,  and  whose  arcs  indicate  the  transitions  leading  from  each  global 
state  to  another.  The  global  state  of  a  system  consists  of  the  system  state  tuple,  plus  the 
values  of  all  variables,  both  local  and  shared.  The  algorithm  as  it  appears  in  [LUND  91a]  is: 
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(1)  Set  each  machine  to  its  initial  state,  and  all  variables  to  their  initial 
values.  The  initial  set  of  reachable  global  states  consists  of  the  initial  system 
state  and  the  value  of  all  variables;  the  initial  graph  is  a  single  node 
representing  this  state. 

(2)  From  the  current  global  state  vector  and  variable  values,  determine 
which  transitions  are  enabled  For  each  of  these  transitions,  determine  the 
global  state  which  results  from  its  execution.  If  this  state  (with  the  same 
enabled  transitions)  has  already  been  generated,  then  draw  an  arc  from  the 
current  state  to  it,  labeling  the  arc  with  the  transition  name.  Otherwise,  add 
the  new  global  state  to  the  graph,  draw  an  arc  from  the  current  state  to  it,  and 
label  the  arc  with  the  name  of  the  transition. 

(3)  For  each  new  state  generated  in  step  2,  repeat  step  2.  Continue  until 
step  2  has  been  repeated  for  each  global  state  thus  generated,  and  no  more 
new  states  are  generated. 

The  algorithm  above  was  modified  to  make  use  of  the  existing  data  structures 
introduced  in  the  CFSM  program.  A  psuedo-code  algorithm  to  construct  the  global 
reachability  graph  is: 


create  topjGstate  pointer  and  initial  node  in  Gstate_graph 
main  bop 

for  machine  Jndex  in  1  ..number _of_mac nines  loop 

transition _stack  :~  Analyze _predicate( machine _index,current_G state) 
while  transition _stack  is  not  empty  loop 

while  current  row  of  mac  hine(  machine  Jndex)  is  not  null  loop 
if  cur  rent _G  state. transition  -  top  of transition  stack  then 

perform  Action  procedure  on  current  jTstate  and  place 

results  in  a  temp_Gstate 
search  G  state  jgraph  for  temp jG state 
if  temp _G state  found  then 

insert  tempjGstate  in  Gstate_graph 
Enqueue  pointer  to  location  in  G state _pointer _queue 
else 

link  current  Gstate  to  found  Gstate 
set  new _noJe  flag  to  false 
else 

traverse  current  row  of  machine(  machine  Jndex) 
end  loop  —machine  row  traversal  loop 
Pop  a  transition  from  the  transition_stack 
end  loop  —transition  loop 
if the  Gstate  ^pointer  queue  is  not  empty  then 
Dequeue  a  pointer 

go  to  the  appropriate  row  of  mac  hine(  machine  Jndex) 
else 

exit  loop 
end  loop  —machine  loop 
exception 

when  Gstate _pointer_queue  is  empty  then 
exit  main  loop 
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when  G state _pointer  queue  is  full  then 
print  error  message 
exit  main  loop 
end  mainjoop 

The  data  structures  that  are  used  in  the  program  are  defined  in  the  specification 

of  the  main  procedure  and  the  definitions  package.  The  machine  states  and  variables  along 

with  the  global  variables  are  defmed  in  the  definitions  package.  The  remaining  data 

structures  which  arc  hidden  from  the  user  are: shown  in  Figure  26 

— data  structures  for  the  global  state  tuple (node) 

type  global_state_type; 

type  Glink_type  is  access  global_state_type; 

— transition  structure 
type  Gstate_transition_type  is 
record 

Gtransition    :    scm_transition_type; 
new_node  :   boolean    :=  true; 

Glink  :    Glink_type; 

executed  :   boolean    :=  false; 

end  record; 

r-global  tuple  structure 
type  Gstate_record_type   is 
record 

machinel_state  :   machinel_state_type; 

machine2_state  :    machine2_state_type; 

global_variables       :    global_variable_type; 
end  record; 

— Global   state  node,    contains   transition,    state,    and  link   information 
— needed  for  building  the  global   state  graph 
type  global_state_type   is 


record 

node_n umber 
Gtuple 
linkl 
link2 
link3 
link4 
end  record; 


natural  :=  0; 

Gstate_record_type ; 

Gstate_transition_type; 

Gstate_transition_type; 

Gstate_transition_type; 

Gstate_transition_type; 


Figure  26:  SCM,  global  definitions. 

The  data  structure  of  the  global  node  (g  lobal_state_ty pe)encapsu\cites  the 
information  contained  in  the  global  state  record.  The  global  transition  record  has  the  type 
of  transition  and  information  about  the  node  it  is  pointing  to.  If  the  node  it  is  pointing  to  is 
a  newly  created  node  the  new  field  is  set  to  false,  otherwise  it  maintains  its  initialized  value 
of  true.  It  also  has  a  visited  field,  used  during  the  construction  of  the  system  state 
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reachability  graph.  The  internal  representation  of  the  graph  generated  by  the  algorithm  for 
stop_and_wait  protocol  highlights  all  the  data  structure  used  (see  Figure  27). 
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Figure  27:  SCM  internal  global  reachability  graph,  stop_and_wait. 
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2.     System  State  Analysis 

System  state  analysis  is  similar  to  global  state  analysis.  The  number  of  states 
generated  by  the  system  state  analysis  is  less  than  or  equal  to  the  number  of  states  in  the 
CFSM  model  or  the  global  analysis  of  the  SCM  model.  Only  the  states  of  the  machines  and 
the  transitions  from  those  states  are  considered  when  generating  a  new  state.  The  formal 
steps  in  constructing  a  system  state  graph  as  it  appears  in  [LUND  91a]  is: 

(1)  Set  each  machine  to  its  initial  state,  and  all  variables  to  their  initial 
values.  The  initial  set  of  reachable  system  states  consists  of  only  the  initial 
system  state;  the  initial  graph  is  a  single  node  representing  this  state. 

(2)  From  the  current  system  state  vector  and  variable  values,  determine 
which  transitions  are  enabled.  For  each  of  these  transitions,  determine  the 
system  state  which  results  from  its  execution.  If  this  state  (with  the  same 
enabled  transitions)  has  already  been  generated,  then  draw  an  arc  from  the 
current  state  to  it,  labeling  the  arc  with  the  transition  name.  Otherwise,  add 
the  new  system  state  to  the  graph,  draw  an  arc  from  the  current  state  to  it,  and 
label  the  arc  with  the  name  of  the  transition. 

(3)  For  each  new  state  generated  in  step  2,  repeat  step  2.  Continue  until 
step  2  has  been  repeated  for  each  system  state  thus  generated,  and  no  more 
new  states  are  generated. 

The  portion  of  the  program  that  builds  the  system  state  graph  makes  use  of  the 
information  already  available  in  the  global  state  graph.  In  the  current  version  of  the 
program  the  global  reachability  graph  is  constructed  followed  by  the  system  reachability 
graph.  Future  versions  would  allow  the  user  to  select  which  analysis  to  perform  but 
currently  both  are  constructed  and  output  The  pointer  to  the  initial  global  state  is  provided 
as  an  input  parameter  to  the  build_Sstate_graph  procedure.  The  global  state  graph  is 
traversed  in  a  breadth  first  manner,  as  the  nodes  are  visited  the  system  state  graph  is 
constructed.  If  the  system  state  graph  were  being  constructed  independently  of  the  global 
state  graph  the  algorithm  would  be  very  similar  to  the  one  in  the  previous  section.  Since  the 
system  state  graph  is  being  constructed  based  on  only  the  global  reachability  graph  the 
machine  matrices  are  not  used.  The  psuedo-code  algorithm  for  this  approach  is: 
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create  topjSstate  pointer  and  build  initial JSstate  node; 
main  loop 

while(  current  Gstate.link  not  null  and  not  visited)  loop 
visit  a  Gstate_graph  node  using  BFS  traversal 
mark  the  link  taken  as  visited 
create  a  tempjSstate  with  values  of  current _G  state 
search  Sstate jgraph  for  tempjSstate 
if  temp  Jistate  found  then 

insert  temp_Sstate  in  Sstate_graph 
else 

link  current  Sstate  to  found  Sstate 
set  new  node  flag  to  false 
end  loop 
end  main  loop 

The  data  structures  for  the  system  state  graph  construction,  except  for  the 
transition  labels,  are  completely  hidden  from  the  user.  The  system  related  data  structures  as 
they  appear  in  the  main  procedure  are  shown  in  Figure  28. 

type  system_state_type; 

type  Syslink_type  is  access  system_state_type; 

— transition  structure  for  system  state 
type  Sstate_transition_type  is 
record 

Stransition 

new_node 

Syslink 
end  record; 


scm_transition_type; 
boolean  :=  true; 
Syslink_type; 


type  Sstate_record_type  is 
record 

machinel_state     :  natural  :=  0; 

machine2_state     :  natural  :=  0; 
end  record; 

— system  state  structure 
type  system_state_type  is 
record 

node_number       :  natural  :=  0; 
S tuple  :  Sstate_record_type; 

linkl  :  Sstate_transition_type; 

link2  :  Sstate_transition_type; 

link3  :  Sstate_transition_type; 

link4  :  Sstate_transition_type;-  ■ 

end  record; 

Figure  28:  SCM,  system  definitions. 

To  follow  through  with  the  stop _and  wait  analysis  example,  an  internal 
representation  of  the  system  state  graph  is  shown  in  Figure  29.  Although  this  example  does 
give  a  graphical  picture  of  how  the  data  structures  are  used  it  does  not  show  the  advantages 
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of  a  system  state  analysis  over  global  state  analysis.  Examples  covered  in  Chapter  V 
illustrate  how  much  smaller  system  state  graphs  can  be  when  compared  to  the  global 
analysis  graphs. 
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Figure  29:  SCM  internal  system  reachability  graph,  stop _and  wait. 
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D.      OUTPUT 

Output  of  the  analysis  is  provided  to  a  text  file  and  to  a  default  device(workstation 
display).  Figure  32  shows  a  captured  image  of  default  output  to  a  workstation  screen  for 
stop_and_wait.  There  are  features  available  to  allow  the  user  to  step  through  the  output  one 
screen  at  a  time.  Output  messages  are  provided  to  the  user  when  a  deadlock,  unexecuted 
transition,  or  an  unspecified  reception  occur.  A  message  is  also  displayed  when  the  length 
of  the  graph  exceeds  the  bounds  defined  by  the  user  (capacity  of  the  channel  is  exceeded.) 
The  contents  of  the  machine  adjacency  lists  are  also  output. 

The  user  may  format  output  for  the  global  state  graph.  This  is  done  through  the  file 
user_ouput.a.  The  procedure,  output  jGtuple,  contained  in  the  file  allows  the  user  to  format 
the  variables  for  default  output.The  template  for  output  procedures  are  found  in  Figure  30. 

separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

put("  ["  &  integer' image (tuple .machinel_state . state_number)  &    "  ,  *)  ; 


-►  user  defined  Format  of  variables  using  textIO 


put("  ,"  &  integer' image (tuple .machine2_state . state_number)  &  "  ]  "); 
end  output_Gtuple; 

separate  (main) 

procedure  output_Gtuple_to_f  ile  (tuple  :  in  out  Gstate_record_type)  is 

begin 

put (reach,"  [w  &  integer'  image (tuple .machinel_state . state_number) ) ; 

^>  user  defined  format  of  variables  using  textIO 


put (reach,"  ,"  &  integer' image (tuple .machine2_state . state_number)   & 
„  j  «); 

end  output_Gtuple_to_f ile; 

Figure  30:  SCM,  output _Gtuple  procedure  template. 

An  example  of  how  a  user  could  format  output  is  given  for  the  stop_and_wait  protocol 

is  given  in  Figure  31 

separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

put ("  t"  &  integer' image (tuple .machinel_state . state_number) 

&  w  ,  " )  ; 

put (tuple  machinel_3tate . out_buff,  set  =>  lower_caae) ; 


56 


putr  ,  «>; 

put (tuple  GLOBAL_VABIABLES . CHAN,  set  =>  upper_case) ; 

putr  ,   w); 

put (tuple. GLOBAL_VARIABLES .RET,  set  =>  upper_case) ; 

putP  ,  w); 

put (tuple. machine2_st ate. in_buff,  set  =>  lower_case) ; 

put  I   ,  "  &  integer' image (tuple. machine2_st ate. state_number) 
&  m   ]  w); 
end  output_Gtuple; 

separate  (main) 

procedure  output_Gtuple_to_file (tuple  :  in  out  Gstate_record_type)  is 

begin 

put (reach,"  ["  & 

integer' image (tuple .machinel_state .state_number)  &  "  ,  ")  ; 
put (reach, tuple. machine l_st at e .out_buff,  set  =>  lower-case) ; 
put (reach,"  ,  w) ; 

put  (reach,  tuple . GLOBAL_VARlABLES  . CHAN,  set  =>  uppercase)  ; 
put (reach,"  ,  *) ; 

put  (reach,  tuple. GLOBAL__VARIABLES  .RET,  set  =>  upper_case)  ; 
put  (reach,  "  ,  w)  ; 

put (reach, tuple. machine2_st ate. in_buff,  set  =>  lower_case) ; 
put (reach, "  ,"6 

integer' image (tuple .machine2_state. state_number)  &  "  ]  ")  ; 
end  output_Gtuple__to_file; 

Figure  31:  SCM,  output  format,  stop_and_wait. 

Consistent  with  previous  examples  the  boldface  code  is  that  which  the  user 
provides.  The  user  does  not  provide  any  parameters  for  system  state  output.  The  output 
shown  in  Figure  32  was  formatted  according  to  the  procedures  us,ed  above. 


57 


REACHABILITY  ANALYSIS  of  :  stop.and.yait 
Global  State  GRAPH 

0  [0,d,E,E,a,0]   xnt.data  1 

1  [  1  ,  d  ,  D,E,e  ,0]   rcv.data  2 

2  tl,d,D,E,d,l]   xmt.ack  3 

3  tl,d,D,A,d,0]   rcv.ack  0 

System  State  GRAPH 


0 

C  0  , 

.  0  ] 

xnt.data 

[  1  . 

.  0  ] 

1 

1 

C  1  , 

,  0  ] 

rcv.data 

I  1  , 

.  1  ] 

2 

2 

C  1  , 

,  1  ] 

xwt.ack 

C  1  , 

.  0  ] 

3 

3 

I   1  , 

,  0  ] 

rcv.ack 

C  0  , 

,  0  ] 

0 

Machine  1  Array  Contents 


I  From     I  To  I  Transition  I  Executed 

I   0   111  xmt.data    I   yes 
I   1   I   0  I  rcv_ack     I   yes 


I      Machine  2  Array  Contents       I 

I  Fron  I  To  I  Transition  I  Executed  I 

I   0   I   1  I  rcv.data    I   yes    I 
I   1   I   0  I  xmt.ack    I   yes    I 

Figure  32:  SCM,  analysis  output,  stop_and_wait. 
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V.  AN  AUTOMATED  ANALYSIS  OF  SELECTED  DATA  LINK 

PROTOCOLS 


In  this  section  the  programs  that  were  developed  in  the  last  two  chapters  will  be 
demonstrated.  Some  well  known  data  link  protocols  will  be  analyzed  using  the  CFSM  and 
SCM  programs.  The  CFSM  program  will  be  used  to  analyze  the  alternating  bit  and  the 
sliding  window  protocols.  The  SCM  program  will  be  used  to  analyze  go_back_n  and 
selective  repeat  protocols.  In  each  analysis  the  specification  will  be  described;  the  program 
input  and  results  are  in  the  Appendices  of  this  publication. 

A.      CFSM  MODEL 

The  examples  used  as  input  show  the  advantages  of  the  CFSM  program.  The 
alternating  bit  protocol  analysis  was  chosen  as  a  simple  class  of  protocols.  The  sliding 
window  with  a  window  size  of  three  shows  how  a  graphically  complex  protocol  can  be 
analyzed  quite  easily. 

1.      Alternating  Bit  Protocol 

The  specification  of  the  alternating  bit  protocol  will  be  used  as  the  first  example 
for  the  CFSM  program.  The  protocol  consists  of  two  machines.  Machine  one  serves  as  a 
sender  and  Machine  two  as  the  receiver.  The  sender  sends  a  message(-X)  to  the  receiver. 
The  receiver  then  accepts  the  message  (+X)  and  sends  an  acknowledgment  (-A).  The 
acknowledgment  at  the  machine  level  is  done  with  the  toggling  of  a  bit,  wherein  the  name 
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alternating  bit  is  derived.  The  sender  is  clear  to  send  another  message  when  the 
acknowledgment  is  received. 

Machine  1  Machine  2 


Figure  33:  CFSM  specification,  Alternating  Bit. 

The  input  file  for  the  specification  is 

start 
machine  1 
state  1 
trans  -X  2 
state  2 
trans  *f\  3 
state  3 
trans  -Y  4 
state  4 
trans  +B  1 
machine  2 
state  1 
trans  *X  2 
state  2 
trans  -A  3 
state  3 
trans  +Y  4 
state  4 
trans  -B  1 
initial.state  1  1 
finish 


The  analysis  of  the  alternating  bit  specification  is: 
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REACHABILITY  ANALYSIS  of  :  output.alt.bit 


1 

[  1  ,  E  ,  E  ,  1  ] 

-X 

C  2  ,  X  ,  E  ,  i  3 

2 

2 

c  2 ;  X  ,  E  ,  1  ] 

♦X 

[  2  ,  E  .  E  ,  2  ] 

3 

3 

C  2  ,  E  ,  E  ,  2  ] 

-A 

[  2  ,  E  ,  A  ,  3  ] 

4 

4 

[  2  ,  E  ,  A  ,  3  ] 

♦A 

[  3  ,  E  ,  E  ,  3  ] 

5 

5 

C  3  ,  E  ,  E  ,  3  ] 

-Y 

[  4  ,  Y  ,  E  ,  3  3 

6 

6 

C  4  ,  Y  ,  E  ,  3  3 

+Y 

C  4  ,  E  ,  E  ,  4  ] 

7 

7 

C  4  ,  E  ,  E  ,  4  ] 

-B 

[  4  ,  E  ,  B  ,  1  ] 

8 

9 

C  4  ,  E  ,  B  ,  1  ] 

♦B 

C  1  ,  E  ,  E  ,  1  ] 

1 

I     Machine  1  Array  Contents 

I  Fron  I  To  I  Transition  I  Executed 


I  1  I  2  I  snd  X  I  yes  I 

I  2  I  3  I  rev  A  I  yes  I 

I  3  I  4  I  snd  Y  I  yes  I 

I  4  I  1  I  rev  B  I  yes  I 


I  Machine  2  Array  Contents       I 

I  From  I  To  I  Transition  I  Executed  I 

I   1  I   2  I    rev  X   I   yes    I 

I   2  I   3  I    snd  A   I   yes    I 

I   3  I   4  I    rev  Y   I   yes    I 

I   4  I   1  I     snd  B   I   yes    I 


*  The  nodes  generated  by  the  analysis 
were  done  in  a  breadth  first  manner 


2.      A  More  Complex  Example:  The  Sliding  Window  Protocol. 

The  analysis  of  a  sliding  window  protocol  is  a  more  complex  example.  To 
represent  the  protocol  as  a  set  of  graphical  finite  state  machines  can  be  quite  tedious.  The 
essence  of  the  protocol  must  be  captured  with  the  use  of  transitions,  oftentimes  this  can  lead 
to  an  intricate  diagram  as  in  this  example. 

The  sliding  window  protocol  can  also  be  represented  as  a  two  machine  CFSM. 
As  in  the  previous  example,  Machine  one  is  the  sender  and  Machine  two  is  the  receiver.  At 
any  instant  of  time  the  sender  maintains  a  list  of  consecutive  sequence  numbers 
corresponding  to  frames  it  is  permitted  to  send[TANE  811  These  frames  are  said  to  fall 
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within  the  sending  window.  The  receiver  also  maintains  a  receiving  window  corresponding 
to  frames  it  is  permitted  to  accept.  The  sending  window  and  the  receiving  window  need  not 
have  the  same  -lower  and  upper  limits,  or  even  have  the  same  size. 

A  window  size  of  three  is  used  in  the  specification  given  in  Figure  34.  The 
messages  or  packets  are  shown  as  transitions  labeled  X,  Y,  and  Z  and  the  acknowledgments 
are  A,  B,  and  C. 

Machine  1  Machine  2 


Figure  34:  CFSM  specification,  sliding  window  (w=3). 
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The  text  file  of  the  specification  is: 


start 

Machine  1 
state  1 
trans 
state 
trans 
trans 
state 
trans 
trans 
state 
trans 
state 
trans  -X 
trans  +ft 
state  6 
trans  *A 
trans  *B 
state  7 
trans  -V 
state  8 
trans  -Z 
state  9 
trans  *C 
trans  ♦A 


-X  2 

2 

♦B  7 

-Y  3 

3 

♦B  9 

♦C  4 

4 

-Z  5 

5 
6 
1 

2 
7 

8 


Machine  2 
state  1 
trans  *X  2 
state  2 
trans  *Y  3 
state  3 
trans  -C  4 
state  4 
trans  *Z  5 
state  5 
trans  *X  S 
state  6 
trans  -B  7 
state  7 
trans  *Y  9 
state  8 
trans  *Z  9 
state  3 
trans  -A  1 
lnltlal.stete  1  1 
finish 


The  analysis  of  the  specification  as  contained  in  the  output  text  file: 


REACHABILITY  ANALYSIS  of  :  output.sl  idlno. 


1 

C  1 

E  „ 

E 

1  ] 

-X 

(  2 

X  .  f 

..11 

2 

2 

C  2 

X  . 

E 

1  ] 

-Y 

I  3 

XY  , 

E  .  1  ] 

3 

♦X 

t  2 

E  ,  1 

,  2  ) 

4 

3 

[  3 

XT 

.  E 

.  1  1 

♦X 

I  3 

Y  ,  1 

-  2'  1 

5 

4 

C  2 

E  , 

E 

2  ] 

-r 

(  3 

Y  ,  1 

.  ,  2  ] 

5 

5 

C  3 

Y  . 

E 

2  ] 

•Y 

(  3 

E  ,  1 

.  3  ] 

S 

6 

C  3 

E  . 

E 

3  ] 

-C 

I  3 

E  .  i 

.  4  ] 

7 

7 

C  3 

E  . 

C 

4  ] 

< 

(  4 

E  .  1 

.  4  ] 

9 

8 

C  4 

E  . 

E 

4   ] 

-z 

(  S 

Z  ,  1 

"  ,  4  ] 

9 

9 

C  5 

2  . 

E 

4  ] 

-X 

(  6 

zx  , 

E  .  4  ] 

10 

♦z 

(  5 

E  .  1 

.  5  1 

11 

10 

C  6 

a 

.  E 

.  4  ] 

•z 

(  6 

X  ,  1 

: .  5 1 

12 

U 

C  5 

E  , 

E 

S  ] 

-X 

[  6 

X  .  1 

: ,  s  i 

12 

L2 

c  s 

X  . 

E 

5  ] 

♦X 

(  6 

E  . 

.  S  ] 

13 

U 

C  6 

E  . 

E 

6  1 

-B 

I  6 

E  . 

.71 

14 

U 

C  6 

E  , 

1 

7  1 

♦B 

(  7 

E  . 

: .  7  i 

15 

IS 

t  7 

E  . 

E 

7  ] 

-Y 

[  9 

Y  , 

: .  7 1 

IE 

IB 

C  9 

.  1  . 

E 

7  1 

-Z 

I  3 

YZ  . 

E  .  7  ] 

17 

•V 

[  9 

E  . 

3  1 

19 

17 

[  9 

« 

.   E 

,  7  ] 

•Y 

t  9 

Z  . 

: .  9 1 

13 

19 

i  9 

E  , 

E 

9  ) 

-Z 

(  9 

Z  . 

.    9   ] 

19 

13 

t  9 

2 

E 

9  1 

♦z 

[  3 

E  . 

: .  9 1 

20 

20 

t  9 

E  , 

E 

9  ] 

-A 

[  3 

E  ,  1 

i.ii 

21 

a. 

C  9 

E  . 

A 

1  ] 

•0 

(  1 

E  .  1 

: .  i  i 

1 

1             Machine  X  Array  Contents                     1 

1   Fro* 

To 

Transition 

Executed  1 

1        1 

2 

and 

X 

yes          1 

1        2 

7 

rev 

i 

no          1 

1      2 

3 

and 

Y 

yes        1 

1       3 

9 

rev 

B 

no            1 

1       I 

4 

rev 

C 

y"       1 

1      4 

5 

and 

I 

yes         1 

1      5 

6 

and 

X 

yea         1 

1      5 

1 

rev 

9 

no          1 

1      6 

2 

rev 

9 

no          1 

1      S 

7 

rev 

3 

yes        1 

1      7 

9 

and 

Y 

yea         1 

i     a 

3 

and 

Z 

yes         1 

1      3 

5 

rev 

C 

no           1 

1       3 

1 

rev 

9 

yea         1 

Machine  2  Array  Contents 


I  Fro*     I     To     I     Transition     I  Executed  I 


1     1 

1      2 

1      3 

1       4 

1       5 

1       S 

1       7 

i     a 

1      9 

rev 

X 

yaa 

rev 

r 

yw 

and 

c 

•yes 

rev 

i 

yes 

rev 

X 

yos 

and 

8 

yea 

rev 

Y 

yes 

rev 

I 

yes 

and 

9 

yes 

63 


The  unexecuted  transitions  account  for  error  control.  Error  control  refers  to 
mechanisms  to  detect  and/or  correct  errors  that  occur  in  the  transmission  of  information.  So 
the  unexecuted  transitions  identified  in  Machine  2's  array  are  transitions  that  would  have 
been  executed  if  a  loss  of  a  message  had  occurred.  Error  and  time-out  transitions  are  not 
shown  in  the  CFSM. 

B.      SCM  MODEL 

The  examples  used  as  input  validate  the  use  of  the  SCM  program  as  a  tool  to  verify 
protocols.  The  go_back_n  protocol  was  analyzed  first  due  to  the  availability  of  prior 
modelling  done  using  SCM.  The  output  of  the  program  were  compared  to  the  manual  SCM 
modelling  results  of  this  protocol.  The  selective  repeat  specification  provided  additional 
evidence  as  to  the  programs  validity  as  well  as  demonstrating  how  it  can  be  used  to  improve 
a  specification.  In  both  examples  it  must  be  shown  that  the  use  of  the  analysis  should  help 
the  designer  or  reviewer  to  gain  a  greater  understanding  of  the  protocol,  as  well  as  in 
detecting  errors. 

The  analysis  of  any  protocol  using  this  program  contains  varying  information.  A 
global  reachability  graph  and  system  reachability  graph  are  provided.  Following  the  graph 
is  a  description  of  the  contents  of  each  machine  array  upon  termination  of  the  graph 
construction.  Error  messages  (deadlock,  unspecified  reception,  and  unexecuted  transitions) 
are  placed  at  the  point  in  the  analysis  where  they  occur.  The  system  state  graph  will  be  used 
in  this  section  to  provide  a  means  to  validate  output  results.  The  system  state  graph  can  be 
viewed  as  a  three  dimensional  object  whose  tuple  values  provide  a  vector  to  3  dimensional 
space. 

1.      Go  Back  N 

The  first  protocol  which  was  chosen  to  model  is  a  go_back_n  protocol  with  a 
variable  window  size,  which  is  a  subset  of  the  High-level  Data  Link  Control  (HDLC)  class 
of  protocols.  There  are  two  machines  in  the  system,  a  sender(/n/)  and  a  receiver  (rri2).  The 

sender  sends  data  blocks  to  the  receiver,  which  are  numbered  sequentially,  0,  1,...,  w,  0, 1,... 
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for  a  window  size  of  w.  The  maximum  number  of  data  blocks  which  can  be  sent  without 
receiving  an  acknowledgment  is  w,  the  window  size.The  receiver,  n%2t  receives  the  data 
blocks  and  acknowledges  them  by  sending  the  sequence  number  of  the  next  block  expected 
(which  is  stored  in  local  variable  exp).  The  shared  variables  DATA  and  SEQ  are  used  to 
pass  messages  from  sender  to  receiver,  and  the  shared  variable  ACK  is  used  to  pass 
acknowledgments  back  to  the  sender.  The  receiver  may  acknowledge  any  number  of  blocks 
received  up  to  the  window  size.  Upon  receiving  the  acknowledgment,  the  sender  must  be 
able  to  deduce  how  many  data  blocks  are  being  acknowledged.  This  is  done  by  observing 
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the  difference  between  the  values  of  the  received  acknowledgment  and  the  sequence 
number  of  the  last  data  block  sent. 

machine  1  machine  2 


DATA 

SEQ 

1 

2 

• 
• 
• 

• 
• 
• 

w 

Sdata 


1 

2 

w 

•    •   • 

seq  :  (  0  ,  1  , ... ,  w  ) 

i :  (  1  ,  2  , ... ,  w  ) 


ACK 

Rdata 


exp  :  (  0  ,  1 w  ) 

j:(l,2,...,w) 


Transition 

Enabling  Predicate 

Action 

-D 

DATA(i)=E  A  SEQ(i)=E 

DATA(i)  .=  Sdata(i) 
SEQ(i)  .=  seq 
inc(i,seq) 

+Ak 
(0<k<w) 

ACK®k  =  seq  A 

ACK*E 

(next  state  :  k) 

ACK .=  E 

+D 

DATA  (J)  *  E  A  SEQ(j)=exp 

Rdata  .=  DATA(j) 
DATA(j).  SEQ(j)  :=  E 
inc(j.exp) 

-A 

DATA(j)=E 

ACK  .=  exp 

Figure  35:  SCM  specification,  Go  Back  N,  window  size  of  l..w. 
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The  general  specification  of  the  protocol  is  given  in  Figure  35.  Included  in  this 
figure  are  the  state  machine  diagrams,  variables  and  the  predicate  action  table.  Initially, 
both  sender  and  receiver  are  in  state  0,  arrays  DATA  and  SEQ  are  empty,  and  ACK  is 
empty.  The  domains  of  DATA,  Rdata  and  Sdata  are  not  specified;  these  are  used  to  hold 
user  data  blocks.  Sdata  and  Rdata  are  the  interface  or  access  points  of  the  higher  layer  (user) 
protocol.  The  local  variables  for  the  sender  are  Sdata,  used  to  store  data  blocks,  seq,  used 
to  store  the  sequence  number  of  the  next  data  block  to  be  sent  out,  and  /,  used  as  an  index 
into  the  DATA  and  SEQ  arrays.  Initially  seq  is  set  to  0,  and  i  is  set  to  1.  The  local  variables 
of  the  receiver  are  Rdata,  exp,  and  j.  Rdata  is  used  to  receive  and  store  incoming  data 
blocks,  exp  to  hold  the  expected  sequence  number  of  the  next  incoming  data  block,  andy  is 
an  index  into  the  shared  arrays  DATA  and  SEQ. 

There  are  four  basic  types  of  transitions  described  in  the  predicate  action  table. 
In  the  sender  the  -D  transition  transmits  a  data  block  by  placing  it  into  the  shared  variable 
DATA(i),  and  the  sequence  number  into  SEQ(i).  The  send  is  enabled  whenever  those 
variables  are  empty.  The  receive  transition  in  the  receiver,  nt2t  is  enabled  whenever  a  data 
block  of  the  appropriate  sequence  number  is  in  the  jth  element  of  DATA  and  SEQ.  An 
acknowledgment  may  be  sent  by  n%2  in  any  state  except  0,  in  which  case  no 
unacknowledged  data  blocks  have  been  received.  The  +A  is  a  receive  transition.  If  mj  is  in 
state  u,  1  <  u  <  w,  and  there  is  a  nonempty  value  in  shared  variable  ACK,  then  exactly  one 
of  the  transitions  +Aq,  +Aj,...,  +Aw.j  will  be  enabled;  it  will  be  that  Ak  such  that  the 

predicate  ACKQk  =  seq  is  true,  and  the  next  state  is  k.  In  the  state  diagram,  all  of  the 
transition  +A/C  are  shown  using  the  same  vertical  line. 

a.      Input  of  variable  definitions. 

A  sample  interaction  using  the  program  for  the  analysis  of  go_back_n,  w=  1  .consists  of  input 
files  and  an  output  file.  The  variable  definitions  contained  in  the  user  specification  file  are: 

package  definitions  is 

type  scm_transition_type  is  (snd_data,  rcv_data, 

snd  ack,  rev  ackO,  unused) ; 
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type  buffer_type  is  (d,e,a); 

type  buf fer_array_type  is  array(l..l)  of  buffer_type; 

type  seq_array_type  is  array(L.l)  of  integer  range  -1..1; 

type  machinel_state_type  is 
record 

state_number  :  natural  :=  1; 

Sdata  :  buf fer_array_type  :=  (others=>d) ; 

seq  :  integer  range  0..1  :=  0; 

i  :  integer  range  1..1  :■  1; 
end  record; 

type  machine2_state_type  is 
record 

state_number  :  natural  :=  1; 

Rdata  :  buffer_type  :=  e; 

exp  :  integer  range  0..1  :=  0; 

j  :  integer  range  1..1  :-  1; 
end  record; 

type  global_variable_type  is 
record 

DATA  :  buf fer_array_type  :=  (others=>e) ; 

SEQ  :  seq_array_type  :=  (others=>-l) ; 

ACK  :  integer  range  -1..1  :=  -1; 
end  record; 

end  definitions; 

b.      Input  of  predicate  analysis. 

The  analyze  predicate  functions  e  contained  in  the  predicate_action.a  file  are: 

function  Analyze_Predicates_Machinel (local  :  machinel_state_type; 

GLOBAL:  giobal_variable_type) 
return  transition_stack_package . stack  is 

tempi  :  integer  :=  GLOBAL. ACK  +  0; 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA (local. i)  =E) 

and  (GLOBAL. SEQ (local. i)  =  -1))  then 

Push (transition_stack, snd_data) ; 

end  if; 

if  ((tempi  =  local. seq)  and  (GLOBAL. ACK  /=  -1))  then 
Push (transition_stack, rcv_ack0) ; 

end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machinel; 

function  Analyze_Predicates_Machine2 (local  :  machine2_state_type; 

GLOBAL:  global_variable_type) 
return  trans it ion_stack_package . stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA (local. j) /=E) 

and  (GLOBAL. SEQ (local . j)  =  local. exp))  then 

Push  (transition_stack,  rcv_data)'; 
end  if; 
if  (GLOBAL. DATA ( local. j)=E)  then 

Push (transition  stack, snd  ack) ; 
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end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machine2; 

c.      Input  of  action  table. 

The  action  procedure  is  also  a  separate  compilation  unit  contained  in  the  predicate_action.a 


file: 


procedure  Action (in_system_state  :  in  out  Gstate_record_type; 

in_transition  :  in  out  scm_transition_type; 
out_system_state  :  in  out  Gstate_record_type)  is 

temp  :  integer  :=  0; 
begin 

case  (in_transition)  is 
when  (snd_data)  => 

out_system_state . GLOBAL_VARIABLES . 
DATA(in_system_state.machinel_state. i)  :  = 
in_system_state .machinel_state . 
Sdata (in_system_state.machinel_state. i) ; 
OUt_system_st ate . GLOBAL_VARIABLES . 

SEQ (in_system_state . machine l_st ate .i)  := 
in_system_state .machinel_state . seq; 
out_system_state.machinel_state. i  := 

( ( (in_system_state.machinel_state . i)  + 
1 ) mod  1 )  +  1  ; 
out_system_state .machinel_state . seq  := 

( ( (in_system_state.machinel_state .seq)   ' 
+  1 ) mod  2 ) ; 
when  (rcv_ack0)  => 

out_system_state.GLOBAL_VARIABLES.ACK  :=  -1; 
when  (snd_ack)  => 

out_system_state.GLOBAL_VARIABLES .ACK  := 

in_system_state .machine2_state .exp; 
out_system_state .machine2_state .Rdata  :=  e; 
when  (rcv_data)  => 

out_system_state.machine2_state .Rdata  := 

in_system_state . GLOBAL_VARIABLES . DATA 
(in_system_state .machine2_state . j) ; 
Out_system_state.GL0BAL_VARIABLES .DATA 

(in_system_state .machine2_state . j )  :=  E; 
out_system_state . GLOBAL_VARIABLES . SEQ 

(in_system_state .machine2_state . j )  :=  -1; 
out_system_state .machine2_state . j  := 

( ( (in_system_state .machine2_state . j ) 
+  -Drnod  1)  +  1; 
out_system_state .machine2_state .exp  := 

( ( (in_system_state.machine2_state .exp) 
+  1 ) mod  2 ) ; 
when  others  => 

put_line ("There  is  an  error  in  the 
Action  procedure") ; 
end  case; 
end  Action; 
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d.      Input  of  finite  state  machines. 

And,  finally,  the  input  file  for  the  finite  state  machines  is: 

start 

machine  1 

state  0 

trans  snd_data  1 

state  1 

trans  rcv_ackO  0 

machine  2 

state  0 

trans  rcv_data  1 

state  1 

trans  3nd_ack  0 

initial_state  0  0 

finish 


e.      Output  of  analysis. 

The  output  of  the  analysis  is: 


REACHABILITY  ANALYSIS  of  :  90.back_n.wl 
Global  State  GRAPH 
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6 
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7 

7 
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0 
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The  output  indicates  that  no  errors  were  encountered.  The  format  for  the  variables  are  user 
dependent  and,  for  brevity  sake,  the  code  for  formatting  the  output  was  not  included. 

/.      System  state  analysis. 

System  state  analysis  is  similar  to  the  reachability  analysis  used  with  the  pure  finite  state 
machine  model,  but  the  total  number  of  states  which  must  be  generated  with  system  state  analysis  is 
significantly  smaller. 

The  system  state  analysis  for  a  window  size  of  1  is  shown  in  Figure  36.The  subscripts  are 
used  so  that  distinct  system  states  having  the  same  tuple  may  easily  be  distinguished.  The  convention  is  that 
the  subscript  is  initially  0,  and  is  increased  whenever  a  "-A"  transition  is  taken,  by  the  number  of  messages 
which  are  being  acknowledged. 


[polo 


Olo-^-MHlo 


Figure  36:  SCM,  system  state  analysis,  Go  Back  N,  w=l. 

The  analysis  for  w=2  is  shown  in  Figure  37.  The  initial  states  and  variable  values  are  the 
same  as  for  the  w=l,  however  there  are  clearly  more  states  in  the  analysis. 

In  a  comparison  between  window  sizes  of  1  and  2,  it  is  noted  that  the  smaller  graph  is  a 
subgraph  of  the  larger,  either  can  be  obtained  from  the  other.  If  the  subscripts  are  taken  as  the  third  coordinate 
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in  a  3-dimensional  cartesian  coordinate  system,  with  the  states  of  each  machine  as  the  first  two  coordinates. 
The  graph  then  is  the  shape  of  a  tetrahedron,  with  edges  which  are  directed  and  labeled. 


IPPlo 


[21]o±D^[22]0 


"— [20]f 

Figure  37:  SCM,  system  state  analysis,  Go  Back  N,  w=2. 

The  graphs  contained  in  Figure  36  and  Figure  37  are  defined  with  respect  to  a  window  size 

w.  The  graphs,  DTl(w)  for  a  nonnegative  integer  w  is  a  labeled,  directed  graph,  defined  by  the  tuple 

(M  £,  L,  <t>) ,  where  N  =  { (x,  y,  z)  |  (0  <  z  <  w,  z  <  x  <  w,  0  <  y  <  x  -  z) }   is  a  finite  set  of  nodes,  where  each 

node  is  specified  by  an  ordered  triple;  L={-D,  +D,  -A.  +Ao,  +/4y +Aw.j}  is  a  finite  set  of  label;  the  set  E 

of  edges  is  a  set  of  ordered  pairs  ((x/,yy,zy),  (x;,y2,  z2))  of  nodes  from  N,  and  is  the  union  of  the  following 

four  sets: 

Ej  =  {((x.  y.  z),  (x+l.y,  z))/(x,  y,z)eN,x<  w) 

E2  =  {((x,  y,  z).  (x,  y+1.  z))/(x,  y,z)<zN,  y<x-z) 

E3  =  {((x,  y.  z).  (x.  0.  y+z))/(x,  y,  z)  eN,  (y  =  x-z),x>z) 

E4  =  {((x,  y.  z),  (x-z,  y,  0))/(x,  y.z)<zN,z>0) 

and  the  mapping  <t>  (L  ♦-  E)  is  defined  as  follows: 
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V(x,y.z)eEv*(x,y.z)  =  -D 
V(x,y,z)eE2,4>(x,y,z)  =     +D 

V  (x,  y,  z)  e  Ey  <D  (x,  y,  z)  =  TA 

V  (x,  y,  z)  e  E4,  <D  (x,  y,  z)  =     +  Ak    ,  where  £=x-z 

Each  node  of  the  graph  can  be  thought  of  as  a  point  in  3-dimensionaI  space,  with  nonnegative, 
integral  coordinates  (x,y,z).  The  structure  of  the  graph  is  a  sequence  of  w+1  triangles,  one  on  top  of  the  other, 
with  the  largest  triangle  at  the  bottom  and  the  smallest  is  a  single  point  at  the  top  level. 

One  of  the  nice  features  of  the  geometric  structure  of  this  graph  is  that  the  state  of  the  system 
can  be  easily  inferred  from  the  x,  y,  z  coordinates.  For  example,  in  Figure  37,  point  (2,1,0),  or  system  state 
[2,1]0,  the  sender  has  transmitted  2  data  blocks  for  which  no  acknowledgment  has  yet  been  received,  the 
receiver  has  received  3  of  these,  but  acknowledged  non. 

Let  f(w)  be  the  amount  of  nodes  in  a  system  state  graph  and  g(w)  be  the  amount  of  nodes  in 
the  global  reachability  graph.  The  equations  for  g(w)  and  f(w),  and  the  lemmas  that  support  them,  for  the 
go_back_n     protocol     are     found     in     [LUND     91a].     For     instance,     the     graph     DTl(w)     has 

/( w)  =  -  w3  +  w2  +  —  w  +  l .  The  size  of  the  graphs  according  to  window  size  are: 
6  6 


w 

f(w) 

g(w) 

0 

1 

1 

1 

4 

8 

2 

10 

60 

3 

20 

240 

4 

35 

700 

5 

56 

1680 

5 

84 

3528 

7 

120 

6720 

The  output  of  the  program  for  this  protocol  was  compared  to  values  for  f(w)  and  g(w).  Test 
runs  were  done  for  window  sizes  of  0  thru  5  and  the  amount  of  nodes  in  each  graph  were  consistent  with  the 
table  above.  The  specification  input  files  and  the  output  is  in  Appendices  E  through  H. 
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2.     Selective  Repeat 

The  next  analysis  is  the  selective  repeat  protocol.The  specification  defined  in 
[BENV  91]and  [STAL  91]  has  been  modified  as  follows.  There  are  two  machines  in  the 
system,  a  sender^;)  and  a  receiver  (rri2).  The  senders  (jnj)  initial  state  is  0.  Two 
assumptions  were  made  for  the  analysis.  First,  all  the  packets  transmitted  were  received 
without  error  and  second,  no  packets  were  lost  or  reordered  during  the  transmission. 

The  specification  for  the  sender  is  found  in  Figure  38.  As  the  buffer  manager 
places  data  in  the  next  available  sequence  number,  the  sender  places  the  packet  on  the 
channel  and  increments  the  index  for  the  next  packet  to  be  transmitted.  As  long  as  the  next 
packet  is  not  empty,  the  sender  will  continue  this  process  until  the  bottom  state  on  the  finite 
state  machine  is  reached,  indicating  the  transmission  of  a  full  window.  Acknowledgments 
(ACK)  are  passed  to  the  transmitter  as  they  are  received.  If  an  ACK  is  received  then  the 
transmitter  must  determine  if  the  window  may  be  opened  and  if  so,  how  far.  If  the  ACK  is 
not  for  the  first  packet  in  the  window  then  the  flag  ack_rec  is  set,  indicating  that  the  packet 
was  received  correctly.  The  window  is  not  advanced  because  packets  that  were  transmitted 
earlier  are  still  outstanding.  The  sequence  number  within  each  ACK  represents  the  actual 
sequence  number  of  the  packet  received  and  not  the  sequence  number  of  the  next  expected 
packet,  as  is  common  in  many  protocols. 

When  an  ACKs  for  the  first  packet  in  the  window  is  received  the  machine  clears 
its  buffer,  advances  the  window,  and  looks  at  the  next  sequence  number.  If  the  packet  has 
not  been  received,  then  that  becomes  the  beginning  of  the  window.  If  it  has  been  received 
then  the  next  sequence  number  is  examined  until  the  earliest  outstanding  packet  is  found  or 
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the  window  is  fully  opened.  ACKs  that  do  not  correspond  to  any  of  the  sequence  numbers 
within  the  current  window  are  ignored. 

machine  1  machine  2 


*0s 


DATA 


•   •   • 

CD^^-m) 

1    2 

w 

• 
• 

CONTROL 

• 

•    •    • 

*w-Lf         1-d 

1    2 

w 

QvAQ 

1    2                 w 

out  buff : 

ack_rec  :                •  •  • 

i:(0,l,...,w) 

current :  (  0  ,  1  , ... ,  w  ) 

hold:(t,f) 

1 

2 

w 

in_buff : 

•   •    • 

pkt_rec  : 

•   •   • 

j  :  (  0  ,  1  , ...  ,w) 

current :  (  0  ,  1  , ... ,  w  ) 


Transition 

Enabling  Predicate 

Action 

-D 

out  buffer(i)  /=  E  A 
hold=f 

DATA(i)  :=out_buffer(i) 

inc(i) 

if(i=w)  hold  :=  t 

+A 

ack_rec(i)  =/A 
CONTROL=A(i) 

ack  rec(i )  .=  t 
CONTROL(i)  :=  E 

*k 

(0<k<w) 

true 

ack  rec(i)  .  =  / 
hold  .-/ 

-A 

CONTROL(j)=E  A 
pkt_rec(j)=t 

CONTROL(j)  :=  A(j) 
pkt_rec(j)  :-f 
in_buff(j)  :=e,  inc(j) 

+D 

pktjec(j)=f 

in  buffij)  :=  DATA(j) 
DATA(j)  .=  £ 
pkt_rec(j)  :=t 

Figure  38:  SCM  specification,  Selective  Repeat,  window  size  of  l..w. 
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The  receiver  as  shown  in  Figure  38  follows  the  specification  given  in  the 
predicate  action  table.  The  initial  state  of  the  receiving  machine  is  0.  Any  packets  that  are 
received  with  sequence  numbers  outside  of  the  window  are  dropped.  If  a  valid  data  packet 
is  received  then  the  +D  is  taken,  based  upon  whether  the  sequence  number  of  the  received 
packet  is  equal  to  is.  If  the  sequence  number  is  not  is  then  the  flag  pktjrec  is  set  to  t  and  the 
packet  is  stored.  If  it  is  equal  to  is,  then  the  pktjrec  is  set,  the  packet  is  released  to  buffer, 
and  /jis  incremented  until  a  sequence  number  v/ith  pkt_rec-f  is  found 

A  sample  interaction  using  the  program  for  the  analysis  of  selective  repeat, 
w=l, consists  of  input  files  and  an  output  file.  The  variable  definitions  contained  in  the  user 
specification  file  are: 

package  definitions  is 

type  scm_transition_type  is  (snd_data,  rcv_data, 

snd_ack,   rcv_ack, 

adv_winl,  unused) ; 
type  buffer_type   is  (dl,e,al  ); 
type  boolean_type    is  (t,  f); 

subtype  ack_buf fer_type  is  buffer_type  range  e..al; 
subtype  data_buf fer_type  is  buffer_type  range  dl..e; 

type  ack_array_type  is  array(l..l)  of  ack_buf fer_type; 
type  data_array_type  is  array(l..l)  of  data_buf fer_type; 

type  boolean_array_type  is  array(L.l)  of  boolean_type; 

type  machinel_state_type  is 
record 

state_number  :  natural  :=  0; 

out_buffer  :  data_array_type   :=  (dl)  ; 

ack_rec  :  boolean_array_type   :=»  (others=>f ) ; 

current  :  integer  range  1..1  :=  1; 

hold  :  boolean_type       :=  f; 
end  record; 


type  machine2_state_type  is 
record 

state_number     :  natural 
in_buffer        :  data_array_type 
pkt_rec  :  boolean_array_type 

end  record; 


=  0; 

=  (others=>e) ; 

=  (others=>f ) ; 


type  global_variable_type  is 
record 

DATA  :  data_array_type     :=  (others=>e) ; 

CONTROL  :  ack_array_type      :=  (others=>e) ; 

end  record; 

end  definitions; 


76 


a.     Input  of  predicate  analysis. 

The  analyze  predicate  functions  contained  in  the  predicate_action.a  file  are: 

function  Analyze_Predicates_Machinel (local  :  machine l_state_type; 

GLOBAL:  global_variable_type) 
return  transition_stack_package . stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( local. outjbuf f er (1)  /=  E)  then 

Push (transition_stack, snd_datal) ; 
end  if; 
if  ( (local. ack_rec(l)=f)  and  GLOBAL. DATA=A1)  then 

Push ( transit ion_stack, rcv_ackl) ; 
end  if; 

Push (transition_stack, adv_winl) ; 
return  transition_stack; 
end  Analyze_Predicates_Machinel; 

function  Analyze_Predicates_Machine2 (local  :  machine2_state_type; 

GLOBAL:  global_variable_type)  return 
transition_stack_package . stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA  =  Dl)  and  (local .pkt_rec ( 1) =f) )  then 

Push (transition_stack, rcv_datal) ; 
end  if; 
if  ( local. pkt_rec (l)=t)  then 

Push (transition_stack, snd_ackl) ; 
end  if; 
-  return  transition_stack; 
end  Analyze  Predicates  Machine2; 


b.     Input  of  action  table. 

The  action  procedure  is  also  a  separate  compilation  unit  contained  in  the  predicate_action.a 


file: 


procedure  Action (in_system_state   :  in  out  Gstate_record_type; 

in_transition    :  in  out  scm_transition_type; 
out_system_state  :  in  out  Gstate_record_type)  is 

temp  :  integer  :=  0; 
begin 

case  (in_transition)  is 
when  (snd_datal)  => 

out_system_state . GLOBAL_VARIABLES . DATA  : = 

in_system_state .machinel_state . out_buf fer (1) ; 
when  (rcv_ackl)  => 

out_system_state.machinel_state.ack_rec (1)  :=  t; 
out_system_st ate. GLOBAL_VARIABLES .DATA  :=  e; 
out_system_state .machinel_state . current  :=  1; 
when  (rcv_datal)  => 

out_system_state .machine2_state . in_buf fer  (1)  :  = 

in_system_st ate .GLOBAL_VARIABLES . DATA; 
out_system_st ate. GLOBAL_VARIABLES .DATA  :=  e; 
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out_system_state .machine2_state.pkt_rec (1) :=  t; 
when  (snd_ackl)  => 

out_system_state.GLOBAL_VARIABLES.DATA  :=  al; 
out_system_state .machine2_state.pkt_rec (1)  :=  f; 
out_system_state .machine2_state . in_buf f er (1) 
when  (adv_winl)    => 

out_system_state .machinel_state . ack_rec 

(in_system_state.machinel_state .current) 
when  others  => 

put_line ("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 


:=  e; 


:=   f; 


c.      Input  of  finite  state  machines. 

And,  finally,  the  input  file  for  the  finite  state  machines  is: 

start 

machine  1 

state  0 

trans  snd_datal  1 

state  1 

trans  rcv_ackl  2 

state  2 

trans  adv_winl  0 

machine  2 

state  0 

trans  rcv_datal  1 

state  1 

trans  snd_ackl  0 

initial_state  0  0 

finish 


d.      Output  of  analysis. 

The  output  of  the  analysis  is: 
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REACHABILITY  ANALYSIS  of  :  sel.rep.ul 
Global  State  GRAPH 


0 

1 

2 
3 

4 

C  0 

C  1 

r  l 

C  1 
l  2 

,  0  ,  Dl  ,  F     ,  E  ,  F     , 
.  0  ,  Dl  ,  F     ,  E  .  F     . 
.  1  ,  m  ,  F    ,  Dl  ,  T 
.  0  ,  Dl  ,  F     ,  E  ,  F     , 
.  o  ,  m  ,  T    ,  E  ,  F    , 

E     ] 
Dl  ] 
,  E     ] 
(0.  ] 
E    1 

snd.datal 

rcv.datal 

snd.ackl 

rcv.ackl 

adv.winl 

1 
2 
3 

4 
0 

Systea  Stat*  GRAPH 

0 

1 
2 
3 

4 

[0,0]        snd.datal 
[1,0]        rcv.datal 
[1,1]        snd.ackl 
[1,0]        rcv.ackl 
[2,0]        adv.winl 

[  1  , 
[  1  » 
[  1  , 
[  2  , 
[  0  , 

0  ]     1 

1  ]    2 
0  ]     3 
0  ]     4 
0  ]    0 

I  Machine  1  Array  Contents  I 

I  Fro*  I  To  I  Transition  I  Executed  I 

I  0   I   1  I  snd.datal   I   yes  I 

I  1   I   2  I  rcv.ackl    I   yes  I 

I  2   I   0  I  adv.winl    I   yes  I 


I  Machine  2  Array  Contents 

I  Fro«  I  To  I  Transition  I  Executed 

I  0  I   1  I  rcv.datal   I   yes 

I  1  I   0  I  snd.ackl    I   yes 


e.      System  state  analysis. 

The  system  state  analysis  for  a  window  size  of  1  is  shown  in  Figure  39.The  subscripts  are 
used  so  that  distinct  system  states  having  the  same  tuple  may  easily  be  distinguished.  The  convention  is  that 
the  subscript  is  initially  0,  and  is  increased  whenever  a  -A  transition  is  taken,  by  the  number  of  messages 
which  are  being  acknowledged  The  analysis  for  w=2  is  shown  in  Figure  40.  As  previously  pointed  out  initial 
states  and  variable  values  are  the  same  as  for  the  w=l,  however  there  are  clearly  more  states  in  the  analysis. 
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Figure  39:  SCM,  system  state  analysis,  Selective  Repeat,  w=l. 
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Figure  40:  SCM,  system  state  analysis,  Selective  Repeat,  w=2. 

The  graphs  contained  in  Figure  39  and  Figure  40  are  the  basis  to  the  definition  of  a  window 
size  of  w.  The  graphs,  SRl(w)  for  a  nonnegative  integer  w  is  a  labeled,  directed  graph,  defined  by  the  tuple 
(N,  E,  L,  <&) ,  where     N  =  { (x,  y,  z)  |  (0  <  z  <  w,  z  <  x  <  2w,  0<y<x-z)}   is  a  finite  set  of  nodes,  where 

each  node  is  specified  by  an  ordered  triple;  L={-D,  +D,  -A,  +A,  R0 Rw.i)  is  a  finite  set  of  label;  the  set  E 

of  edges  is  a  set  of  ordered  pairs  ((x/,  yt,  z{),  (x/t  y2,  z2))  of  nodes  from  N,  and  is  the  union  of  the  following 
four  sets: 
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Ei  =  {((x, y,  z),  (x+w,  y,  z))/(x. y,  z)  eN,  x<w) 

E2  =  {((x. y,  z),  (x,  1, 0))/(x, y,  z)eN,y  +  z< x) 

E3  =  {((x,  y,  z).  (x,  y-1.  z+l))/(x,  y,  z)  eN,  x>z) 

E4  =  {((x,  y,  z),  (x+1,  y,  z))/(x,  y,  z)eN,y  +  z<  x) 

E5  =  {((x,  y.  z),  (x-(w+k),  y,  z))/(x, y,z)eN,  x- (y  +  z)  <  k) 

and  the  mapping  <I>  (L  <-  E)  is  defined  as  follows: 

V(x,y,z)  eEv<J>(xtytz)  = -D 
V(x,y,z)  e£2,<6(xf>,z)  =     +D 
V(x,y,z)  e  Ey  <t>(x,)>,  z)  =  -A 
V(x,y,z)  eE4f<b(x,y,z)  =     +A 
V(x,y,z)  e  E5,4>(x,y,z)  =Rk,k=\w-x\ 

As  with  the  go_back_n  analysis,  each  node  of  the  graph  can  be  thought  of  as  a  point  in  3- 
dimensional  space,  with  nonnegative,  integral  coordinates  (x.y.z).  The  structure  of  the  graph  is  a  sequence  of 
w+1  triangles,  one  on  top  of  the  other,  with  thclargest  triangle  at  the  bottom  and  the  smallest  is  a  single  point 
at  the  top  level. 

Let  f(w)  be  the  amount  of  nodes  in  a  system  state  graph.  The  lemmas  that  support  it,  for  the 

2  2 

selective  repeat  protocol  are  found  in  [JENS  92].  The  graph  SRl(w)  has    /<w)=w+(w+l)     .  The  size 

of  the  graphs  according  to  window  size  are: 


w 

f(w) 

0 

1 

1 

5 

2 

13 

3 

25 

4 

41 

Test  runs  were  done  for  and  the  amount  of  nodes  in  each  graph  were  consistent  with  the  table 
above.  The  specification  input  files  and  the  output  is  in  Appendices  I  and  J. 
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VI.  CONCLUSIONS  AND  RECOMMENDATIONS 

In  this  thesis,  a  program  was  introduced  that  analyzed  network  protocols  using  the 
CFSM  and  SCM  models.  The  program  was  successfully  developed  in  an  Ada  environment. 
The  Ada  tools  that  made  implementing  the  models  easier  were  encapsulation,  information 
hiding,  generic  programming  units. 

In  Ada,  network  protocol  specifications  can  be  represented  in  an  intuitive  manner.  The 
finite  state  machines  and  the  associated  predicate  action  tables  were  converted  to  Ada 
language  parameters  for  the  analysis.  The  language  environment  enforces  the  rules  of  the 
protocol  as  well  as  the  allowable  behavior  of  all  the  variables.  Dynamic  construction  of 
reachability  graphs  allowed  the  user  to  determine  how  large  or  small  an  analysis  should  be. 
The  protocol  designer  or  engineer  that  uses  this  program  can  quickly  become  familiar  with 
the  behavior  of  the  protocol  by  simply  constructing  the  Ada  specification.  It  is  interesting 
to  note  that  due  to  the  automated_specification  analysis  some  previous  work  using  the  SCM 
model  has  since  been  modified.  The  analysis  provides  information  on  occurrences  of 
deadlock,  unspecified  reception,  unexecuted  transition,  and  message  flow  exceeding 
channel  capacity. 

The  programming  environment  provided  an  adequate  platform  to  develop  the 
program.  The  ability  to  use  encapsulation,  information  hiding,  tasking,  and  generic  code 
allowed  the  program  to  be  developed  in  a  step-wise,  compartmented  fashion.  The 
availability  of  a  powerful  debugger  (DBX)  enhanced  the  transition  from  developing  to 
testing  the  program.  To  allow  for  a  more  transportable  product  this  program  might  be 
converted  to  C  or  C++,  so  that  others  may  benefit  from  its  use. 

The  program  was  validated  with  previous  work  done  on  widely  used  protocols.  In 
Lundy's  papers  [LUND  88],  [LUND  91a],  [LUND  91b],  [LUND  92a]  and  [LUND  92b]  a 
number  of  protocols  were  manually  analyzed  using  the  SCM  model.  A  subset  of  those 
analysis  were  performed  using  the  program,  achieving  identical  results.lt  is  interesting  to 
note  that  due  to  the  automated  analysis  of  previous  work  using  the  SCM  model,  some 
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specifications  have  had  to  be  modified.  In  must  also  be  noted  that  example  analysis  were 
only  done  on  two  machine  specifications. 

There  are  several  questions  and  areas  open  for  further  work  which  remain.  An 
important  step  would  be  to  expand  the  program  to  allow  for  more  than  two  machines. 
Although  most  protocols  can  be  modelled  with  two  machines,  it  is  a  realistic  requirement 
to  model  three  or  more.  The  program  could  be  made  more  interactive  with  the  user, 
allowing  the  user  to  change  the  specification  real  time  when  an  error  occurs.  The  program 
was  developed  for  use  on  a  workstation,  future  work  could  concentrate  on  PC  versions  of 
Ada  or  C/C++.  A  picture  is  worth  a  thousand  words;  what  is  done  textually  can  sometimes 
be  represented  better  graphically.  A  graphical  user  interface  would  enhance  the  users 
ability  to  specify  a  protocol  and  understand  the  analysis. 

It  is  important  to  say  that  developing  this  program  was  FUN.  One  of  the  features  of 
this  automated  tool  is  its  understandability.  By  developing  an  automated  tool  it  became 
apparent  that  the  user  needs  to  feel  comfortable  with  the  language  used  as  well  as  how  a 
specification  looks  and  feels  when  input  for  analysis.  The  results  provided  by  the  many  runs 
of  this  program  focused  attention  to  where  it  needed  to  be-  the  protocol  behavior,  not  the 
programming  language  anomalies. 
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APPENDIX  A  CFSM  CODE 


The  program  listing  begins  on  the  following  page. 
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APPENDIX  B  SCM  CODE 


The  program  listing  begins  on  the  following  page. 
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APPENDIX  C  (CFSM)  ALTERNATING  BIT 
INPUT  (FSM) 


start 

machine  1 MACHINE  1- 

state  1 
trans  -X  2 
state  2 
trans  +A  3 
state  3 
trans  -Y  4 
state  4 
trans  +B  1 

machine  2 MACHINE  2- 

state  1 
trans  +X  2 
state  2 
trans  -A  3 
state  3 
trans  +Y  4 
state  4 
trans  -B  1 
initial_state  1  1 
finish 
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OUTPUT 


REACHABILITY  ANALYSIS  of  :  output. alt 


Reachability  Graph 
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1 

Machine  1  Array  Contents  I 

From   I   To   I   Transition   I  Executed  I 


I    1  I    2  I 

I    2  I    3  I 

13  14  1 

I    4  I    1  I 


snd  X  I  yes 

rev  A  I  yes 

snd  Y  I  yes 

rev  B  I  yes 


I        Machine  2  Array  Contents 

I  From   I   To   I   Transition   I  Executed 


1112 

12  13 

13  14 

14  11 


rev  X  I  yes 

snd  A  I  yes 

rev  Y  I  yes 

snd  B  I  yes 


*  The  nodes  generated  by  the  analysis 
were  done  in  a  breadth  first  manner 
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APPENDIX  D  (CFSM)  SLIDING  WINDOW 

INPUT(FSM) 


start 
machine  1 
state  1 
trans  -X  2 
state  2 
trans  +B  7 
trans  -Y  3 
state  3 
trans  +B  8 
trans  +C  4 
state  4 
trans  -2  5 
state  5 
trans  -X  6 
crans  +A  1 
state  6 
trans  +A  2 
trans  +B  7 
state  7 
trans  -Y  a 
state  8 
trans  -2  9 
state  9 
trans  +C  5 
trans  +A  1 
machine  2 
state  1 
trans  +X  2 
state  2 
trans  +Y  3 
state  3 
trans  -C  4 
state  4 
trans  +2  5 
state  5 
trans  +X  6 
state  6 
trans  -B  7 
state  7 
trans  +Y  8 
state  8 
trans  +2  9 
state  9 
trans  -A  1 
initial_state  1  1 
finish 
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OUTPUT 


REACHABILITY  ANALYSIS  of  :  sliding_window 


Reachability  Graph 
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5  ] 

-X 
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E 
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12 
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E  , 

E  , 
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-Y 
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Y 

E 

2 
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1       Machine  1  Array  Contents 

1  From 

To 

Transition   1 

Executed  1 

1    1 

2 

snd 

X    1 

yes     1 

I    2 

7 

rev 

B    1 

no      I 

1    2 

3 

snd 

Y    1 

yes     I 

1    3 
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rev 

B    1 

no      I 

1    3 
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rev 
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yes     1 

1    4 
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snd 
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yes     1 
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6 

snd 
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rev 
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no      1 
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rev 
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no      I 
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rev 
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snd 

Y    1 

yes     1 

1    8 

9 

snd 
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yes     1 

1    9 

5 

rev 

C    1 

no      1 

1    9 
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rev 

A    1 

yes     I 

I        Machine  2  Array  Contents  I 

I  From   I   To   I   Transition   I  Executed  i 


rev 
rev 
snd 
rev 
rev 
snd 
rev 
rev 
snd 


yes 
yes 
yes 
yes 
yes 
yes 
yes 
yes 
yes 


*  The  nodes  generated  by  the  analysis 
were  done  in  a  breadth  first  manner 
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APPENDIX  E  (SCM)  GO_BACK_N,  W=l 
INPUT  (FSM) 


start 

machine  1 

state  0 

trans  snd_data  1 

state  1 

trans  rcv_ackO  0 

machine  2 

state  0 

trans  rcv_data  1 

state  1 

trans  snd_ack  0 

initial_state  0  0 

finish 


176 


VARIABLE  DEFINITIONS 


package  definitions  is 

type  scm_transition_type   is  (snd_datal,  rcv_datal,  snd_ackl, 

rcv_ackl,  adv_winl,  unused) ; 
type  buffer_type    is  (dl,e,al); 
type  boolean_type    is  (t, f ) ; 

type  buf fer_array_type  is  array (1..1)  of  buffer_type; 
type  boolean  array  type  is  array (1..1)  of  boolean  type; 


type  machinel_state_type  is 
record 

state_number  :  natural 

out_buffer  :  buf fer_array_type 

ack_rec  :  boolean_a rray_type 

current  :  integer  range  1..1 

end  record; 


=  0; 

=  (others=>dl) 

=  (others=>f) ; 


type  machine2_state_type  is 
record 

state_number  :  natural 

in_buffer  :  buf fer_array_type 

pkt_rec  :  boolean_array_type 

current  :  integer  range  1..1 
end  record; 


-  0; 

=  (others=>e) ; 

=  (others=>f ) ; 

=  1; 


type  global_variable_type  is 
record 

DATA  :  buffer_type 

end  record; 

end  definitions; 
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PREDICATE-ACTION 

separate  (main) 

function  Analyze_Predicates_Machinel ( local  :  machinel_state  type; 

GLOBAL:  global_variabFe_type)  return  transition 
stack_package.  stack  is 
begin 

MakeEmpty (transition_stack)  ; 

if  (local. out_buf fer (1)  /=  E)  then 

Push (transition_stack, snd_datal) ; 

end  if; 

if  ( (local. ack_rec(l)=f)  and  GLOBAL. DATA=A1)  then 
Push (transition_stack, rcv_ackl) ; 

end  if; 

Push (transition_stack, adv_winl) ; 

return  transition_stack; 
end  Analyze_Predicates_Machinel; 

separate  (main) 

function  Analyze_Predicates_Machine2 ( local  :  machine2_state  type; 

GLOBAL:  global_variable_type)  return  transition_ 
stack_cackage. stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA  =  Dl)  and  ( local .pkt_rec (1) -f) )  then 

Push (transition_stack, rcv_datal) ; 
end  if; 
if  (local. pkt_rec (1) =t)  then 

Push  (transition_stack, snd_ackl) ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machine2; 

separate  (main) 

procedure  Action ( in_system_state   :  in  out  Gstate_record_type; 

in_transit ion     :  in  out  scm_t ransit ion_type; 

out_system_state  :  in  out  Gstate_record_type)  is 

_  / 

temp  :  integer  :=  0; 

begin 

case  (in_transit ion)  is 

when  (snd_datal)  => 

out_system_state . GLOBAL_VARIABLES . DATA  : = 

in_system_state .machinel_state. out_buf fer ( 1)  ; 

when  (rcv_ackl)  => 

out_system_state .machinel_state . ack_rec ( 1)  :=  t; 

out_system_state .GLOBAL_VARIABLES .DATA  :=  e; 

out_system_state .machinel_state .current  :=  1; 

when  (rcv_datal)  => 

out_system_state .machine2_state . in_buf fer (1)  : = 

in_system_state.GLOBAL_VARIABLES.DATA; 

out_system_state.GLOBAL_VARIABLES.DATA  :=  e; 

out_system_state .machine2_state .pkt_rec ( 1 ) :=  t; 

when  (snd_ackl)  => 

out_system_state.GLOBAL_VARIABLES  .DATA  :=-  al; 

out_system_state .machine2_state .pkt_rec ( 1)  :=  f; 

out_system_state .machine2_state . in_buf fer (1)  :=  e; 

when  (adv_winl)    => 

out_system_state .ma-  .  • 

chinel_state.ack_rec(in_system_state.machinel_state.current)  :=  f; 

when  others  => 

put_l ine ( "There  is  an  error  in  the  Action  procedure"); 

end  case; 

end  Action; 
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OUTPUT  FORMAT 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

putC*    t"  '  integer' image (tuple. machinel_state .state_number) ) ; 

put  (*  ,  "  &  integer'  image  (tuple  .mach ine2_state  .  state_number )  )  ; 

put(*  ,  «); 

put (tuple. machinel_state .out_buffer (1)  ,  width  =>  1)  ; 

putr  ,  "); 

put (tuple. machinel_state.ack_rec (1)  ,  width=>2)  ; 

put(*  ,  *); 

put (tuple. machine2_3tate. in_buffer (1)  ,  width  =>  1); 

putC  ,  "); 

put  ( tuple. machine2_st ate  . pkt_rec  (1)  ,  width=»>2)  ; 

put(*  ,  *); 

put  (tuple. GLOBALJ/ARIABLES . DATA,     width    =>2)  ; 

putC   ]"); 
end   output_Gtup4.e; 

separate  (main) 

procedure  output_Gtuple_to_f ile (tuple  :  in  out  Gstate_record_type; 

counter  :  in  out  integer)  is 
begin 

put (reach, counter) ; 

put (reach,"    [™  &  integer' image (tuple .machinel_state . state_number ) ) ; 

put (reach,"  , "  &  integer' image (tuple. machine2_state .state_number) ) ; 

put (reach, "  ,  *) ; 

put (reach, tuple. machinel_state .out_buffer (1) ,  width  =>  1); 

put (reach, "  ,  ") ; 

put (reach, tuple.machinel_state.ack_rec (l),width=>2); 

put (reach, "  ,  *)  ; 

put (reach, tuple. machine2_state . in_buffer (1) ,  width  =>  1); 

put (reach, "  ,  ")  ; 

put  (reach.,  tuple. machine2_st ate  .pkt_rec  (1)  ,  width=>2)  ; 

put (reach, "  ,  *) ; 

put (reach, tuple. GLOBAL_VARIABLES. DATA,  width  =>2); 

put  (reach, "  ]") ; 

new_line (reach) ; 
end  output_Gtuple_to_f ile; 

separate  (main) 

procedure  output_Gstate_node (Gstate  pointer  :  in  out  Glink_type; 

Error_Flag      :  in  out  boolean)  is 
begin 

output_line_count  :=  output_line_count  +  1 ; 
if  ( (output_line_count  mod  10)  =  0)  then 

scroll_pause; 
end  if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system_state_number ,  width  =>  3  )  ; 
output_Gtuple (Gstate  pointer .Gtuple) ; 

if  ( (Gstate_pointer . Tinkl .Glink  =  null)  and  then  (Gstate_pointer . Iink2 .Glink  =  null) 
and  then 

(Gstate_pointer . Iink3 .Glink  =  null)  and  then  (Gstate_pointer . Iink4 .Glink  =  null)) 
then 

Error_flag  :=  true; 
else 

Error_flag  :=  false; 
end  if; 
end  output  Gstate  node; 
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OUTPUT 


REACHABILITY  ANALYSIS  of  :  go  back  n  wl 
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APPENDIX  F  (SCM)  GO_BACK_N,  W=2 
INPUT  (FSM) 


start 

machine  1 

state  0 

trans  snd_data  1 

state  1 

trans  snd_data  2 

trans  rcv_ackO  0 

state  2 

trans  rcv_ackO  0 

trans  rcv_ac)cl  1 

machine  2 

state  0 

trans  rcv_data  1 

state  1 

trans  rcv_data  2 

trans  snd_ack  0 

state  2 

trans  snd_ack  0 

initial_state  0  ( 

finish 
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VARIABLE  DEFINITIONS 

package  definitions  is 


fype  scm_transition_type   is  (snd_data,  rcv_data, 

snd_ack,   rcv_ackO, 
rcv_ackl,  unused) ; 

type  buffer_type    is  (dO,dl,e,a); 

type  buf fer_array_type  is  array (1.. 2)  of  buffer_type; 

type  seq_array_type  is  array(1..2)  of  integer  range  -1..2; 

type  machinel_state_type  is 
record 

state_number  :  natural  :=  0; 

Sdata  :  buf fer_array_type  :»  (d0,dl); 

seq  :  integer  range  0..2  :=  0; 

i  :  integer  range  1..2  :=  1; 
end  record; 

type  machine2_str.te_type  is 
record 

state  number      :  natural  :=  0; 


Rdata 
exp 
J 
end  record; 


buffer_type  :=  e; 
integer  range  0..2  :=  0; 
integer  range  1..2  :=  1; 


type  global_variable_type  is 
record 

DATA  :  buf fer_array_type 

SEQ  :  seq_array_type 

ACK  :  integer  range  -1..2 

end  record; 

end  definitions; 


=  (e,e); 
=  (-1,-1) 

=  -1; 
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PREDICATE-ACTION 

separate  (main) 

function  Analyze_Predicates_Machinel (local  :  machinel_state  type; 

GLOBAL:  global_variabre_type)  return  transition_- 
stack_package. stack  is 

tempi  :  integer  :=  GLOBAL. ACK  +  0; 
temp2  :  integer  :=  (GLOBAL. ACK  +  Dmod  3; 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA (local. i)  =  E)  and  (GLOBAL. SEQ ( local . i)  =  -1))  then 

Push  (transition_stacic,  snd_data)  ; 
end  if; 
if  ((tempi  =  local. seq)  and  (GLOBAL. ACK  /=  -1) )  then 

Push (transition_stack, rcv_ack0)  ; 
end  if; 
if  ( (temp2  -  local. seq)  and  (GLOBAL. ACK  /=  -1))  then 

Push (transition_stack,  rcv_ackl)  ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machinel; 

separate  (main) 

function  Analyze_Predicates_Machine2 (local  :  machine2_state_type; 

GLOBAL:  global_variable_type)  return  transition_- 
stack_package. stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA (local. j) /=E)  and  (GLOBAL. SEQ ( local . j)  =  local. exp) )  then 

Push (transition_stack,  rcv_data)  ; 
end  if; 
if  (GLOBAL. DATA ( local. j)=E)  then 

Push (transit ion_stack, snd_ack)  ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machine2; 

separate  (main) 

procedure  Action (in_system_state   :  in  out  Gstate_record_type; 

in_transition     :  in  out  scm_transition_type; 
out_system_state  :  in  out  Gstate_record_type)  is 

temp  :  integer  :=  0; 
begin 

case  (in_transition)  is 
when  (snd_data)  => 

out_system_state.GLOBAL_VARIABLES.DATA ( in_system_st ate .machine l_state . i)  := 

in_system_state .machinel_state .Sdata (in_system_state . machine l_state . i) ; 

out_system_state .GLOBAL_VARIABLES .SEQ ( in_system_st ate .machine l_state . i)  := 

in_system_state .machinel_state. seq; 
if  (in_system_state .machinel_state . i  =  1)  then 

out_system_state .machinel_state . i  :=  2; 
else 

out_system_state .machinel_stace . i  :=  1; 
end  if; 

out_system_state .machinel_state . seq  :=  ( ( ( in_system_state .machinel_state . - 
seq)  +  l)mod  3) ; 

when  (rcv_ackO)  => 

out_system_state .GLOBAL_VARIABLES .ACK 
when  (rcv_ackl)  => 

out_system_state .GLOBAL_VARIABLES . ACK 
when  (snd_ack)  => 

out_system_state.GLOBAL_VARIABLES .ACK 
exp; 

out_system_state . machine2_state . Rdata 
when  (rcv_data)  => 

out_system_state . machine2_state. Rdata 
ABLES.DATA( in_system_state .machine2_state.j) ; 

out_system_state .GLOBAL  VARIABLES . DATA ( in  system  state .machine2  state.])  := 
E; 

out_system  state. GLOBAL  VAR IABLES . SEQ  (in  system  state .machine2  state. j)  := 

-1; 

if  (in_system_state .machine2_state . j  =  1)  then 
out_system_state .mach ine2_state . j  :=  2; 
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=  -1; 

=  -1; 

=  in_system_state .machine2_state . 

=  e; 

=  in_system_state.GLOBAL_VARI- 


else 

out_system_state.machine2_state. j  :=  1; 
end  if 7 

out_system_state .machine2_state .exp  := 

(((in_system_state.machine2_state.exp)  +  Dmod  3) ; 
when  others  => 

put_line ("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 
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OUTPUT  FORMAT 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

put ("    [*  &  integer' image (tuple .machinel_state . state_number)  &  "  »"); 

put (integer' image (tuple .machine2_state.state_number) ) ; 

put(~  ,  "); 

put (tuple. machinel_state.seq,  width  =>  1)  ; 

put(*  ,  "); 

put (tuple. machinel_state.i,  width  =>  1)  ; 

putC  ,  *); 

put  (tuple. machine2_state.exp,  width  =>  1)  ; 

putC  ,  •)  ; 

put  (tuple. machine2_state.  j,  width  =■>  1); 

putC*  ,  *); 

put (tuple. GLOBAL_VARIABLES. DATA(l)  ,  width  =  >3); 

put (tuple. GL0BAL_VARIABLES.SEQ(1)  ,  width=>2)  ; 

putC  ,  *); 

put  (tuple.  GLOBAL_VARIABLES.  DATA(2)  ,  width  =»>3); 

put (tuple.GLOBAL_VARIABLES.SEQ(2) , width=>2)  ; 

putr  ,-); 

put  (tuple. GLOBAL_VARIABLES.ACK,  width  =>  3)  ; 
putr  ]"); 
end  output_Gtuple; 

separate  (main) 

procedure  output_Gtuple_to_f ile (tuple  :  in  out  Gstate_record_type; 

counter  :  in  out  integer)  is 
begin 

put (reach, counter) ; 

put(reach,"    ["  i    integer' image (tuple .machinel_state.state_number)  &  *  ,") ; 

put  (reach,  integer'  image  (tuple.. machine2_state  .  state_number)  )  ; 

put (reach, *,'*); 

put (reach, tuple. machinel_state . seq,  width  =>  1)  ; 

put (reach, "  ,  ") ; 

put (reach, tuple .machinel_state  .  i,  width  =>  1); 

put (reach, "  ,  ")  ; 

put (reach,  tuple .machine2_state .exp,  width  =>  1); 

put (reach, "  ,  ") ; 

put (reach, tuple .machine2_state. j,  width  =>  1) ; 

put  (reach,  ",'"); 

put (reach, tuple. GLOBAL_VAKIABLES. DATA(l)  ,  width  =>3); 

put  (reach, tuple. GLOBAL_VARIABLES .SEQ ( 1)  ,  width  =  >2)  ; 

put (reach, "  ,  ") ; 

put (reach, tuple. GLOBALJ/ARIABLES . DATA(2) ,  width  =>3); 

put  (reach, tuple .GLOBALJ/ARIABLES .SEQ (2)  ,  width  =  >2)  ; 

put (reach, "  ,") ; 

put  (reach, tuple. GLOBAL_VARIABLES . ACK,  width  =>  3); 

put (reach,"  ]"); 

new_line (reach) ; 
end  output_Gtuple_to_f ile; 

separate  (main) 

procedure  output_Gstate_node (Gstate_pointer  :  in  out  Glink_type; 

Error_flag      :  in  out  boolean)  is 
begin 

output_line_count  :=  output_line_count  +  1; 
if  ( (output_line_count  mod  10)  =  0)  then 

scroll_pause; 
end  if; 

set_col (Gcolumn_set)  ; 

put (Gstate_pointer . system_state_number,  width  =>  3); 
output_Gtuple (Gstate_pointer .Gtuple) ; 

if  ( (Gstate_pointer . linkl .Glink  =  null)  and  then  (Gstate_pointer . Iink2 .Glink  =  null) 
and  then 

(Gstate_pointer . Iink3 .Glink  =  null)  and  then  (Gstate_pointer . 1 ink4 .Gl ink  =  null)) 
then 

Error_flag  :=  true; 
else 

Error_flag  :=  false; 
end  if; 
end  output  Gstate  node; 
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APPENDIX  G  (SCM)  GO_BACK_N,  W=3 
INPUT  (FSM) 


start 

machine  1 

state  0 

trans  snd_data  1 

state  1 

trans  rcv_ackO  0 

trans  snd_data  2 

state  2 

trans  rcv_ackO  0 

trans  rcv_ackl  1 

trans  snd~data  3 

state  3 

trans  rcv_ackO  0 

trans    rcv_aclcl    1 

trans  rcv_ack2  2 

machine  2 

state  0 

trans  rcv_data  1 

state  1 

trans  rcv_data  2 

trans  snd_ack  0 

state  2 

trans  rcv_data  3 

trans  snd_ack  0 

state  3 

trans  snd_ack  0 

initial_state  0  C 

finish 
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VARIABLE  DEFINITIONS 


package  definitions  is 


type  scm_transition_type   is  (snd_data,  rcv_data, 

snd_ack,   rcv_ackO, 
rcv_ackl,  rcv_ack.2,  unused) 

type  buffer_type    is  (dO, dl, d2, e, a) ; 

type  buf fer_array_type  is  array(1..3)  of  buffer_type; 

type  seq  array  type  is  array(1..3)  of  integer  range  — 1 . . 3 ; 


type  machinel_state_type 
record 

state_number  : 

Sdata  : 

seq  : 

i  : 

end  record; 


natural  :=  0; 
buf f er_array_type  : 
integer  range  0..3 
integer  range  1..3 


•  (d0,dl,d2) 
:=  0; 
:-  1; 


type  machine2_state_type 
record 

state_number  : 

Rdata  : 

exp  : 

J  : 
end  record; 


natural  :=  0; 
buffer_type  :=  e; 
integer  range  0..3 
integer  range  1..3 


:=  0, 

:=  1, 


type  global_variable_type  is 
record 


DATA 
SEQ 
ACK 
end  record; 


buf fer_array_type 
seq_array_type 
integer  range  -1..3 


=  ( e ,  e ,  e )  ; 

=  (-1,-1,-1) 
=  -1; 


end  definitions; 
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PREDICATE-ACTION 

separate  (main) 

function   Analyze_Predicates_Machinel (local  :  machinel_state  type; 

GLOBAL:  global_variabre_type)  return  transition_ 
stack_package. stack  is 

tempi  :  integer  :=  GLOBAL. ACK  +  0; 
temp2  :  integer  :=»  (GLOBAL. ACK  t  Dmod  4; 
temp3  :  integer  :=  (GLOBAL. ACK  +  2) mod  4; 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA (local. i)  =  E)  and  (GLOBAL. SEQ ( local . i)  =  -1))  then 

Push (transition_stack, snd_data)  ; 
end  if; 
if  ((tempi  -  local. seq)  and  (GLOBAL. ACK  /=  -D)  then 

Push (transition_stack, rcv_ackO)  ; 
end  if; 
if  ( (temp2  -  local. seq)  and  (GLOBAL. ACK  /=  -1))  then 

Push  (transition_stack, rcv_ackl)  ; 
end  if; 
if  ( (temp3  =  local. seq)  and  (GLOBAL. ACK  /=  -1) )  then 

Push (transition_stack, rcv_ack2) ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machinel; 

separate  (main)       '  • 

function  Analyze_Predicates_Machine2 ( local  :  machine2_state_type; 

GLOBAL:  global_variable_type)  return  transition_ 
stack_package. stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA (local. j) /-E)  and  (GLOBAL. SEQ ( local . j )  =  local. exp) )  then 

Push  (transition_stack, rcv_data) ; 
end  if; 
if  (GLOBAL. DATA (local. j)=E)  then 

Push (transition_stack, snd_ack) ;  , 

end  if; 

return  transit ion_stack; 
end  Analyze_Predicates_Machine2;  —  this  returned  value  is  then  checked  against  the 
machine  arrays 

—  to  determine  if  indeed  this  transition  can  be 
taken 

separate  (main) 

procedure  Action (in_system_state   :  in  out  Gstate_record_type; 

in_transit ion     :  in  out  scm_transition_type; 

out_system_state  :  in  out  Gstate_record_type)  is 

temp  :  integer  :■  0; 
begin 

case  ( in_transit ion)  is 
when  (snd_data)  => 

out_system_st ate .GLOBAL  VARIABLES .DATA ( in_sy s t em_st ate .machine l_st ate . i)  : = 
in_system_state .macBinel_state. Sdata ( in_system_state .machinel_state.i) 
out_system_state .GLOBAL_VARIABLES .SEQ ( in_sy stem_st ate .machine l_state . i)  := 

in_system_state .mach inel_state . seq;     •  ■ 
begin 

case  (in  system_state .machinel_state . i )  is 
when  T  => 

out_system_state .machinel_state . i  :=  2; 
when  2  -> 

out_system_state .machinel_state . l  :=  3 
when  3  => 

out_system_state .machinel_state . i  :=  1 
when  others  => 
null; 
end  case; 
end; 

out_system_state . machinel_state . seq  :=  ( ( ( in_system_state .machinel_state . 
seq)  +  1)  mod  4)  ; 

when  (rcv_ack0)  => 

out_system_state.GLOBAL_VARIABLES.ACK  :=  -1; 
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exp; 


when  (rcv_ackl)  ■> 

out_system_state.GLOBAL_VARIABLES.ACK 
when  (rcv_ack2)  => 

out_system_state.GLOBAL_VARIABLES.ACK 
when  (snd_ack)  => 

out_system_stat e . GL0BAL_VAR I ABLES . ACK 


out_system_state.machine2_state.Rdata 
when  (rcv_data)  => 

out_system_state .machine2_state .Rdata 
ABLES. DATA (in_system_s tat e.machine2_st ate. j) ; 

out_system_state . GLOBAL_VARIABLES . DATA ( in_system_state .machine2_state . j ) 


-1; 
-1; 


■  in_system_state .machine2_state . 

=  e; 

=  in_system_state.GLOBAL_VARI- 


E; 
-1; 


out_system_state.GLOBAL_VARIABLES.SEQ    (in_system_state .machine2_state. j)    := 


begin 

case  (in  system_state.machine2_state . j)  is 
when  T  => 

out_system_state .machine2_state  .  j  :=  2 
when  2  »> 

out_system_state .machine2_state . j  :=  3 
when  3  => 

out_system_state .machine2_state  .  j  :»  1 
when  others  »> 
null; 
end  case; 
end; 
out_system_state .machine2_state .exp  :=  ( ( (in_system_state.machine2_state .  ■ 
exp)  +  1) mod  4)  ; 

when  others  => 

put_line ("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 
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OUTPUT  FORMAT 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

put  C    ["*  S  integer'  image  (tuple  .machinel_state  .  state_number)  £ 

put (integer' image (tuple .machine2_state . state_number) ) ; 

put(*  ,  *); 

put (tuple .machinel  state. seq,  width  =>  1) ; 

putC*  ,  •); 

put (tuple. machinel_state. i,  width  =>  1) ; 

putC  ,  "); 

put (tuple. machine2_state .exp,  width  =>  1) ; 

putt"  ,  •); 

put (tuple. machine2  state. j,  width  =>  1); 

putC  ,  "); 

put (tuple. GLOBAL_VARIABLES. DATA(l) ,  width  =>3); 

put (tuple. GLOBAL  VARIABLES .SEQ ( 1) ,width=>2) ; 

putC  ,  "); 

put (tuple. GLOBALJ/ARIABLES. DATA(2) ,  width  =>3)  ; 

put (tuple. GLOBALJ/ARIABLES. SEQ (2) ,width->2) ; 

put<«  ,  »); 

put (tuple. GLOBALJ/ARIABLES. DATA(3) ,  width  =>3)  ; 

put (tuple.GLOBAL_VARIABLES.SEQ(3) , width=>2) ; 

putC  ,"); 

put (tuple. GLOBAL J/ARIABLES.ACK,     width    =>    3); 

putC"    ]")  ; 
end   output   Gtuple; 


put (reach, counter) ; 

put  (reach,*    ["  &  integer' image (tuple .machinel_state.state_number)  S 
put (reach, integer' image (tuple.machine2_state. state_number) ) ; 
put (reach, *  ,  *)  ; 

put (reach, tuple .machinel_state. seq,  width  =>  1) ; 
put (reach, "  ,  *)  ; 

put (reach, tuple .machinel_state . i,  width  =>  1) ; 
put (reach, "  ,  *) ; 

put (reach, tuple .machine2_state .exp,  width  =>  1); 
put (reach, "  ,  *)  ; 

put ( reach, tuple .machine2_state . j,  width  =>  1); 
put (reach, "  ,  *) ; 

put (reach, tuple. GLOBAL_VARIABLES . DATA (1)  ,  width  =>3); 
put (reach, tuple.GLOBAL_VARIABLES . SEQ (l),width=>2); 
put (reach, "  ,  ") ; 

put  (reach,  tuple. GLOBAL_VARIABLES. DATA'(2)  ,  width  =>3); 
put (reach, tuple. GLOBAL_VARIABLES . SEQ (2) , width=>2) ; 
put  (reach, "  ,") ; 

put (reach, tuple. GLOBAL_VARIABLES . DATA (3)  ,  width  =>3); 
put (reach, tuple. GLOBAL_VARIABLES. SEQ (3)  ,  width=>2)  ;  . 
put (reach, "  , ") ; 

put (reach,  tuple. GLOBAL_VARIABLES.ACK,  width  =>  3); 
put (reach, "  ] ") ; 
new_line (reach) ; 
end  output  Gtuple  to  file; 


,"); 


separate  (main) 

procedure  output_Gstate_node (Gstate  pointer  :  in  out  Glink_type; 

Error_riaq      :  in  out  boolean)  is 
begin 

output_line_count  :=  output_line_count  +  1; 

if  ( (output_line_count  mod  10)  =  0)  then 
scroll_pause; 

end  if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system_state_number,  width  =>  3); 

out put_G tuple (Gstate_pointer .Gtuple) ; 

if  ( (Gstate_pointer . linkl .Glink  =  null)  and  then  (Gstate_pointer . Iink2 .Glink  =  null) 
and  then 

(Gstate_pointer . Iink3 .Gl ink  =  null)  and  then  (Gstate_pointer . Iink4 .Glink  =  null)) 
then 
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Error_flag  :=  true; 
else 

Error_flag  :=  false; 
end  if; 
end  output  Gstate  node; 
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VARIABLE  DEFINITIONS 

package  definitions  is 


type  scm_transition_type   is  (snd_data,  rcv_data, 

snd_ack,   rcv_ackO, 

rcv_ackl,  rcv_ack2, 
rcv_ack3,  unused) ; 

type  buffer_type    is  (dO, dl, d2, d3, e, a) ; 

type  buf fer_array_type  is  array (1.. 4)  of  buffer_type; 

type  seq_array_type  is  array (1.. 4)  of  integer  range  -1..4; 


type  machinel_state_ 

type 

is 

record 

state_number 

: 

natural  :=  0; 

Sdata 

: 

buffer_array  type  : 

■  (d0,dl,d2,d3) ; 

seq 

: 

integer  range  0..4 

:=  0; 

i 

: 

integer  range  1..4 

:=  1; 

end  record; 

type  machine2_state_ 

type 

is 

record 

state_number 

: 

natural  :=  0; 

Rdata 

buffer  type  :=  e; 

exp 

integer  range  0..4 

:=  0; 

J 

: 

integer  range  1..4 

:=  1; 

end  record; 

type  global_variable_type 

is 

record 

DATA 

bu  f  f er_a  r  r a  y_t  ype 

:=  (e,e,e,e); 

SEQ 

seq  array  type 

:=  (-1,-1,-1,-1 

ACK 

integer  range  -1..4 

:=  -1; 

end  record; 

end  definitions; 
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PREDICATE-ACTION 


separate  (main) 

function  Analyze_Predicates_Machinel (local  :  machinel_state  type; 

GLOBAL:  global_variabre_type)  return  transition_ 
stack_package. stack  is 

tempi  :  integer  :=  GLOBAL. ACK  +  0; 
temp2  :  integer  :  =  (GLOBAL. ACK  +  l)mod  5; 
temp3  :  integer  :=  (GLOBAL. ACK  +  2) mod  5; 
temp4  :  integer  :=  (GLOBAL. ACK  +  3) mod  5; 
begin 

MakeEmpty (transit ion_stack) ; 

if  ( (GLOBAL. DATA (local. i)  -  E)  and  (GLOBAL. SEQ ( local . i)  =  -1))  then 

Push (transition_stack, snd_data)  ; 
end  if; 
if  ((tempi  =■  local. seq)  and  (GLOBAL. ACK  /=  -D)  then 

Push(transition_stack, rcv_ack0) ; 
end  if; 
if  ( (temp2  =  local. seq)  and  (GLOBAL. ACK  /=  -1))  then 

Push  (transition_stack, rcv_ackl) ; 
end  -if; 
if  ((temp3  =  local. seq)  and  (GLOBAL. ACK  /=  -1))  then 

Push (transitlon_stack, rcv_ack2)  ; 
end  if; 
if  ((temp4  =  local,  seq)  and  (GLOBAL. ACK  /=  -D)  then 

Push  (transition_stack, rcv_ack3)  ; 
end  if; 

return  transition_stack; 
end  Analyze  Predicates  Machinel; 


separate  (main) 

function  Analyze_Predicates_Machine2 ( local  :  machine2_state_type; 

GLOBAL:  global_var iable_type)  return  transition_- 
stack_package. stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA ( local. j) /=E)  and  (GLOBAL. SEQ ( local . j )  =  local. exp) )  then 

Push  (transition_stack, rcv_data) ; 
end  if; 
if  (GLOBAL. DATA) local. j)=E)  then 

Push (transit ion_stack, snd_ack) ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machine2 ; 

separate  (main) 

procedure  Action (in_system_state   :  in  out  Gstate_record_type; 

in_transition :  in  out  scm_transit ion_type; 

out_system_state  :  in  out  Gstate_record_type)  is 


begin 


temp  :  integer  :=  0; 

case  (in_transition)  is 
when  (snd_data)  => 

out_system_st ate*. GLOBAL  VARIABLES .DATA ( in_system_state .machine l_st ate . i)  := 

in_system_state . macTiinel_state . Sdata ( in_system_state .machinel_state . i) 

out_system_state.GLOBAL_VARIABLES .SEQ ( in_system_s t ate .machine l_st ate . i)  := 

in_system_state . machine l_st ate . seq; 
begin 

case  (in  system_state .machinel_state . i)  is 
when  T  => 

out_system_state .mach inel_state . i  :=  2 
when  2  => 

out_system_state . mach inel_state . i  :=  3 
when  3  => 

out_system_state .machinel_state . i  :=  4 
when  4  => 

out_system_state .machinel_state . i  :=  1 
when  others  => 
null; 
end  case; 
end; 
out_system_state . mach inel_st ate . seq  : = 

(  (  (in_system_state  .machinel_state  .  seq)  +  Dmod  5); 
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exp; 


when  (rcv_ackO)  => 

out_system_state.GLOBAL_VARIABLES.ACK  :=  -1 
when  (rcv_ackl)  => 

out_system_state.GLOBAL_VARIABLES.ACK  :=  -1 
when  (rcv_ack2)  => 

out_system_state.GLOBAL_VARIABLES.ACK  :-  -1 
when  (rcv_ac)t3)  ■> 

out_system_state.GLOBAL_VARIABLES.ACK  :=»  -1; 
when  (snd_ack)  => 

out  system  state. GLOBAL  VARIABLES .ACK 


in_system_state . machine2_state . 
e; 


out_system_state .machine2_state .Rdata 
when  (rcv_data)  »> 

out_system_state . machine2_st ate. Rdata 
in_system_state.GLOBAL_VARIABLES. 
DATA(in_system_state . machine2_state . j) ; 
out_system_state.GLOBAL_VARIABLES .DATA( in  system_state . machine2_state . j) 

E; 
out  system  state .GLOBAL_VARIABLES .SEQ  ( in_system_state .machine2_state. j) 

-1; 

begin 

case  (in_system_state .machine2_Ltate . j)  is 
when  1  »> 

out_system_state.machine2_state. j  :=  2 
when  2~ »> 

out_system_state .machine2_state. j  :=  3 
when  3  => 

out_system_state.machine2_state. j  :=  4 
when  4  => 

out_system_state .machine2_state. j  :=  1 
when  others  => 
null; 
end  case; 
end; 
out_system_state .machine2_scate.exp  :=  ( ( ( in_system_state .machine2_state 
exp)  +  Dmod  5)  ; 
when  others  => 

put_line ("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 
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OUTPUT  FORMAT 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 


put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 


•  ["*  S  integer' image (tuple. machinel_state.state_number)  & 
integer' image (tuple .machine2_state . state_number) ) ; 

"  ,  *); 

tuple. machinel_state.seq,  width  =>  1); 

•  .  "); 

tuple. machinel_state.i,  width  =>  1); 

■  ,  •); 

tuple. machine2_state.exp,  width  =>  1)  ; 

•  ,  "); 

tuple. machine2_state . j,    width   =>    1)  ; 

tuple. GLOBALJ/ARIABLES. DAT A ( 1)  ,    width   =>3)  ; 
tuple. GLOBAL_VARIABLES.SEQ(l)  ,  width=>2)  ; 

tuple. GLOBALJ/ARIABLES. DATA (2 )  ,    width   =>3)  ; 
tuple. GLOBAL   VARIABLES .SEQ (2) , width=>2) ; 

■  ,  m); 

tuple. GLOBALJ/ARIABLES. DATA(3)  ,    width   =>3); 
tuple.GLOBAL_VARIABLES.SEQ(3) ,width=>2)  ; 

tuple '.GLOBALJ/ARIABLES.DATA  (4)  ,    width    =>3); 
tuple. GLOBALJ/ARIABLES. SEQ (4) ,width=>2)  ; 

tuple. GLOBAL J/AR I ABLES.ACK,    width    =>    3); 


'); 


end  output_Gtuple; 

separate  (main) 

procedure  output_Gtuple_to_f ile (tuple  :  in  out  Gstate_record_type; 

counter  :  in  out  integer)  is 
begin 

put (reach, counter) ; 

put (reach,"    [w  &  integer' image (tuple .machinel_state . state_number)  &  w  ,"); 

put  (reach, integer' image (tuple .machine2_state . state_number) ) ; 

put (reach, "  ,  *) ; 

put (reach, tuple .machinel_state . seq,  width  =>  1); 

put (reach, "  ,  ") ; 

put (reach, tuple .machinel_state . i,  width  =>  1) ; 

put (reach, "  ,  ") ; 

put (reach, tuple. machine2_state.exp,  width  =>  1)  ; 

put (reach, "  ,  *)  ; 

put (reach, tuple. machine2_state. j,  width  =>  1); 

put (reach, "  ,  ") ; 

put (reach, tuple. GLOBALJ/ARIABLES. DATA(l) ,  width  =>3); 

put (reach, tuple .GLOBALJ/ARIABLES .SEQ ( 1) , width=>2) ; 

put (reach, "  ,  *) ; 

put (reach, tuple. GLOBALJ/ARIABLES. DATA (2) ,  width  =>3); 

put  (reach, tuple .GLOBAL_VARIABLES . SEQ (2),width  =  >2); 

put (reach, "  ,") ; 

put  (reach, tuple. GLOBALJ/ARIABLES. DATA(3) ,  width  =>3); 

put (reach, tuple .GLOBALJ/ARIABLES .SEQ ( 3)  ,  width=>2)  ; 

put (reach, "  , ")  ; 

put  (reach, tuple. GLOBALJ/ARIABLES. ACK,  width  =>  3); 

put (reach, "  ]") ; 

new_line (reach) ; 
end  output_Gtuple_to_f ile; 

separate  (main) 

procedure  output J3state_node (Gstate  pointer  :  in  out  Glink_type; 

Error_riag      :  in  out  boolean)  is 
begin 

output_line_count  :=  output_line_count  +  1; 

if  ( (output_line_count  mod  10)  =  0)  then 
scroll_pause; 

end  if; 

set_col (Gcolumn_set)  ; 

put (Gstate_pointer . system_state_number,  width  =>  3); 

output_Gtuple (Gstate  pointer .Gtuple) ; 

if  ( (Gstate_pointer.rinkl.Glink  =  null)  and  then  (Gstate_pointer . Iink2 .Glink.  =  null) 
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and  then 

(Gstate_pointer . Iin)c3 .Glink  =  null)  and  then  (Gstate_pointer.  Iin)c4  .Glink  =  null)) 
then 

Error_flag  :»  true; 
else 

Error_flag  :»  false; 
•end  if; 
end  output_Gstate_node; 
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OUTPUT 

REACHABILITY  ANALYSIS  of  :  go_back_n_w4 
Global  State  GRAPH 


0 

[  0  , 

0  , 

0  , 

1  , 

0  , 

1  , 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 

1 

1 

[  1  , 

0  , 

1  , 

2  , 

0  , 

1  , 

DO 

0  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd_data 
rcv_data 

2 

3 

2 

[  2  , 

0  ■ 

2  , 

3  , 

0  , 

1  , 

DO 

0  , 

Dl 

1 

E 

-1 

,E 

-1  , 

-1 

]  snd_data 
rcv_data 

4 
5 

4 

[  3  , 

0  ■ 

3  , 

4  , 

0  , 

1  , 

DO 

0  , 

Dl 

1 

D2 

2 

,E 

-1  , 

-1 

]  snd  data 
rev  data 

7 
8 

7 

(  4  , 

0  , 

4  , 

1  , 

0  , 

1  , 

DO 

0  , 

Dl 

1 

D2 

2 

,D3 

3  , 

-1 

]  rcv_data 

12 

12 

[  4  , 

1  , 

4  , 

1  , 

1  , 

2  , 

E 

-1  , 

Dl 

1 

D2 

2 

,D3 

3  , 

-1 

]  rcv_data 

18 

18 

[  4  , 

2  , 

4  , 

1  , 

2  , 

3  , 

E 

-1  , 

E 

-1 

D2 

2 

,D3 

3  , 

-1 

]  rev  data 

26 

26 

[  4  , 

3  , 

4  , 

1  , 

3  , 

4  , 

E 

-1  , 

E 

-1  , 

E 

-1 

,D3 

3  , 

-1 

]  rev  data 

36 

36 

[  4  , 

4  , 

4  , 

1  , 

4  , 

1  , 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  ack 

47 

47 

[  4  , 

0  , 

4  , 

1  , 

4  , 

1  , 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

4 

]  rev  ackO 

60 

60 

[  o  , 

o  , 

4  , 

1  , 

4  , 

1  , 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 

72 

72 

[  1  i 

0  , 

0  , 

2  , 

4  , 

1  , 

DO 

4  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

j  snd_data 
rev  data 

87 
88 

87 

t  2  , 

0  , 

1  , 

3  , 

4  , 

1  , 

DO 

4  , 

Dl 

0 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 
rev  data 

102 
103 

102 

[  3  , 

0  , 

2  , 

4  , 

4  , 

1  , 

DO 

4  , 

Dl 

0 

D2 

1 

,E 

-1  , 

-1 

]  snd  data 
rcv_data 

120 

121 

120 

[  4  , 

0  , 

3  , 

1  , 

4  , 

1  , 

DO 

4  , 

Dl 

0 

D2 

1 

,D3 

2  , 

-1 

]  rev  data 

134 

134 

[  4  , 

1  , 

3  , 

1  , 

0  , 

2 

E 

-1  , 

Dl 

0 

D2 

1 

,D3 

2  , 

-1 

]  rev  data 

150 

150 

[  4  , 

2  , 

3  , 

1  , 

1  , 

3 

E 

-1  , 

E 

-1 

D2 

1 

,D3 

2  , 

-1 

]  rev  data 

162 

162 

[  4  , 

3  , 

3  , 

1  , 

2  , 

4  , 

E 

-1  , 

E 

-1 

E 

-1 

,D3 

2  , 

-1 

]  rcv_data 

176 

176 

[  4  , 

4  , 

3  , 

1  , 

3  , 

1  , 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  ack 

187 

187 

[  4  , 

0  , 

3  , 

1  , 

3  , 

1 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

3 

]  rcv_ack0 

200 

200 

[  0  , 

0  , 

3  , 

1  , 

3  , 

1 

E 

-1  , 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 

212 

212 

(  1  , 

0  , 

4  , 

2  , 

3  , 

1 

DO 

3 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 
rev  data 

227 
228 

227 

[  2  , 

0  , 

0  , 

3  , 

3  , 

1 

DO 

3 

Dl 

4 

E 

-1 

,E 

-1  , 

~r 

]  snd_data 
rev  data 

242 
243 

242 

[  3  , 

0 

1  , 

4 

3~, 

1 

DO 

3 

Dl 

4 

D2 

0 

,E 

-1  , 

-i 

]  snd  data 
rev  data 

260 
261 

260 

[  4  , 

0 

2  , 

1  , 

3  , 

1 

DO 

3 

Dl 

4 

D2 

0 

,D3 

1  , 

-i 

]  rev  data 

274 

274 

[  4 

1 

2  , 

1  , 

4 

2 

E 

-1 

Dl 

4 

D2 

0 

,D3 

1 

-i 

]  rev  data 

290 

290 

[  4 

2  , 

2  , 

1 

0 

3 

E 

-1 

E 

-1 

D2 

0 

,D3 

1  , 

-i 

]  rev  data 

302 

302 

[  4 

3 

2  , 

1 

1 

4 

E 

-1 

E 

-1 

E 

-1 

,D3 

1 

-i 

]  rev  data 

316 

316 

[  4 

4 

2  , 

1 

2 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

-i 

j  snd  ack 

327 

327 

(  4 

0 

2  , 

1 

2 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

2 

]  rcv_ack0 

340 

340 

(  o 

0 

2  , 

1 

2 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

-1 

]  snd  data 

352 

352 

(  1 

0 

3  , 

2 

2 

1 

DO 

2 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 
rev  data 

367 

368 

367 

[  2 

0 

4  , 

3 

2 

1 

DO 

2 

Dl 

3 

E 

-1 

,E 

-1  , 

-1 

]  snd  data 
rev  data 

382 
383 

382 

[  3 

0 

0  , 

4 

2 

1 

DO 

2 

Dl 

3 

D2 

4 

,E 

-1 

-1 

]  snd  data 
rev  data 

400 
401 

400 

[  4 

0 

1  , 

1 

2 

1 

DO 

2 

Dl 

3 

D2 

4 

,D3 

0 

-1 

]  rcv_data 

414 

414 

[  4 

1 

1  , 

1 

3 

2 

E 

-1 

Dl 

3 

D2 

4 

,D3 

0 

-1 

]  rev  data 

430 

430 

[  4 

2 

1  , 

1  , 

4 

3 

E 

-1 

E 

-1 

D2 

4 

»D3 

0 

-1 

]  rev  data 

442 

442 

[  4 

3 

1  , 

1 

0 

4 

E 

-1 

E 

-1 

E 

-1 

,D3 

0 

-1 

]  rev  data 

456 

456 

[  4 

4 

1  , 

1 

1 

1 

E 

-1 

E 

-1  - 

E 

-1 

,E 

-1 

-1 

]  snd  ack 

467 

467 

[  4 

0 

1  , 

1 

1 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

1 

]  rev  ackO 

480 

480 

[  o 

0 

1  , 

1 

1 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

-1 

]  snd  data 

492 

492 

[  1 

0 

2  , 

2 

1 

1 

DO 

1 

E 

-1 

E 

-1 

,E 

-1 

-1 

]  snd  data 
rev  data 

507 
508 

507 

[  2 

0 

3  , 

3 

1 

1 

DO 

1 

Dl 

2 

E 

-1 

,E 

-1 

-1 

]  snd  data 
rev  data 

522 

523 

522 

[  3 

0 

4  , 

4 

1 

1 

DO 

1 

Dl 

2 

D2 

3 

,E 

-1 

-1 

]  snd  data 
rcv_data 

540 
541 

540 

[  4 

0 

0 

1 

1 

1 

DO 

1 

Dl 

2 

D2 

3 

,D3 

4 

-1 

]  rev  data 

554 

554 

[  4 

1 

0 

1 

2 

2 

E 

-1 

Dl 

2 

D2 

3 

,D3 

4 

-1 

]  rev  data 

570 

570 

[  4 

2 

0 

1 

3 

3 

E 

-1 

E 

-1 

D2 

3 

,D3 

4 

-1 

]  rev  data 

582 

582 

[  4 

3 

0 

1 

4 

4 

E 

-1 

E 

-1 

E 

-1 

,D3 

4 

-1 

]  rev  data 

596 

596 

[  4 

4 

0 

1 

0 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

-1 

]  snd  ack 

607 

607 

[  4 

0 

0 

1 

0 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1 

0 

]  rev  ackO 

0 

541 

(  3 

1 

4 

4 

2 

2 

E 

-1 

Dl 

2 

D2 

3 

,E 

-1 

-1 

]  snd  data 

554 

. 

rev  data 

555 

555 

(  3 

2 

4 

4 

3 

3 

E 

-1 

E 

-1 

D2 

3 

,E 

-1 

-1 

]  snd  data 
rev  data 

570 

571 
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571 

3  , 

3  , 

4 

4  , 

4 

4 

E 

-1 

E 

-1  , 

E 

-1 

,E 

-1  , 

-1 

snd  data 
snd_ack 

582 
583 

583 

3  , 

0  , 

4 

4  , 

4 

4 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

4 

rev  ackO 
snd_data 

597 
598 

597 

0  , 

0  , 

4 

4  , 

4 

4 

E 

-1 

E 

-1  , 

E 

-1 

,E 

-1  , 

-1 

snd_data 

608 

608 

1  , 

0  , 

0 

1  , 

4 

4 

E 

-1 

E 

-1 

E 

-1 

,D3 

4  , 

-1 

snd  data 
rcv_data 

620 
621 

620 

2 

o  , 

1 

2  , 

4 

4 

DO 

0 

E 

-1 

E 

-1 

,D3 

4  , 

-1 

snd  data 
rcv_data 

631 
632 

631 

3  , 

0  , 

2 

3 

4 

4 

DO 

0 

Dl 

1 

E 

-1 

,D3 

4  , 

-1 

snd_data 
rcv_data 

645 
646 

645 

4  , 

0  , 

3  , 

4  , 

4 

4 

DO 

0 

Dl 

1 

D2 

2 

,D3 

4  , 

-1 

rcv_data 

658 

658 

4  , 

1  , 

3 

4  , 

0 

1 

DO 

0 

Dl 

1 

D2 

2 

,E 

-1  , 

-1 

rcv_data 

673 

673 

4  , 

2  , 

3 

4 

1 

2 

E 

-1 

Dl 

1 

D2 

2 

,E 

-1  , 

-1 

rcv_data 

682 

682 

4 

3  , 

3 

4 

2 

3 

E 

-1 

E 

-1 

D2 

2 

,E 

-1  , 

-1 

rev  data 

692 

692 

4 

4 

3 

4  , 

3 

4 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

snd  ack 

696 

696 

4 

0  , 

3 

4 

3 

4 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

3 

rcv_aclcO 

37 

646 

3 

1  , 

2 

3  , 

0 

1 

DO 

0 

Dl 

1 

E 

-1 

,E 

-1  , 

-1 

snd_data 
rcv_data 

658 
659 

659 

3  , 

2  , 

2 

3  , 

1 

2 

E 

-1 

Dl 

1 

E 

-1 

,E 

-1  , 

-1 

snd  data 
rcv_data 

673 
£74 

674 

3 

3  , 

2 

3  , 

2 

3 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

snd_data 
snd_ack 

682 
683 

683 

3  , 

0  , 

2 

3  , 

2 

3 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

2 

rev  ackO 
snd  data 

20 
693 

693 

4 

0  , 

3 

4  , 

2 

3 

E 

-1 

E 

-1 

D2 

2 

,E 

-1  , 

2 

rev  ackl 
rcv_data 

28 

697 

697 

4  , 

1  , 

3 

4  , 

3 

4 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

2 

rev  ackl 
snd  ack. 

40 
696 

632 

2  , 

1  , 

1  , 

2  , 

0 

1 

DO 

0 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

snd_data 
rev  data 

646 
647 

647 

2  , 

2  , 

1 

2  , 

1  , 

2 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

snd_data 
snd  ack 

659 
660 

660 

2  , 

0  , 

1 

2  , 

1 

2 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

1 

rcv_ackO 
snd  data 

10 
675 

675 

3  , 

0  , 

2  , 

3  , 

1 

2 

E 

-1 

Dl 

1 

E 

-1 

,E 

-1  , 

1 

rcv_ackl 
snd  data 

15 

684 

rcv_data 

685 

684 

4  , 

"0  . 

3  , 

4  , 

1 

2 

E 

-1 

Dl 

1 

D2 

2 

,E 

-1  , 

1 

rev  ack2 

rev  data 

22 

694 

694 

4  , 

1  , 

3 

4  , 

2  , 

3 

E 

-1 

E 

-1 

D2 

2 

,E 

-1  , 

1 

rev  ack2 
rev  data 

32 

698 

698 

4  , 

2  , 

3  , 

4  , 

3  , 

4 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

1 

rcv_ack2 
snd  ack 

44 
696 

685 

3  , 

1  , 

2  , 

3  , 

2 

3 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

1 

rev  ackl 
snd  data 
snd  ack 

23 
694 
683 

621 

1  , 

1  , 

0  , 

1  , 

0 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

-1 

snd  data 
snd  ack 

632 
633 

633 

1  , 

0  , 

0  , 

1  , 

0  , 

1 

E 

-1 

E 

-1 

E 

-1 

,E 

-1  , 

0 

rev  ackO 
snd  data 

0 
648 

648 

2  , 

o  , 

1 

2  , 

0 

1 

DO 

0 

E 

-1 

E 

-1 

,E 

-1  , 

0 

rev  ackl 
snd  data 
rev  data 

1 
661 
662 

661 

3  , 

o  , 

2 

3  , 

o  , 

1 

DO 

0 

Dl 

1 

E 

-1 

,E 

-1  , 

0 

rev  ack2 
snd  data 
rcv_data 

2 
676 
677 

676 

4  , 

o  , 

3  , 

4  , 

0  , 

1 

DO 

0 

Dl 

1  , 

D2 

2 

,E 

-1  , 

0 

rcv_ack3 
rev  data 

4 
686 

686 

4  , 

1  , 

3  , 

4  , 

1  , 

2 

E 

-1 

Dl 

1  , 

D2 

2 

,E 

-1  , 

0 

rev  ack3 
rev  data 

8 
695 

695 

4  , 

2  , 

3  , 

4  , 

2  , 

3 

E 

-1  , 

E 

-1  , 

02 

2 

,E 

-1  , 

0 

rev  ack3 
rcv_data 

13 
699 

699 

4  , 

3  . 

3  , 

4  , 

3  , 

4 

E 

-1  , 

E 

-1  , 

E 

-1 

,E 

-1  , 

0 

rev  ack3 

snd  ack 

19 
696 

677 

3  , 

1  , 

2  , 

3  , 

1  , 

2 

E 

-1  , 

Dl 

1  , 

E 

-1 

,E 

-1  , 

0 

rev  ack2 
snd  data 
rev  data 

5 
686 
687 

687 

3  , 

2  , 

2  , 

3  , 

2  , 

3 

E 

-1  , 

E 

-1  , 

E 

-1 

,E 

-1  , 

0 

rev  ack2 
snd  data 
snd  ack 

9 
695 
683 

662 

2  , 

1  , 

1  , 

2  , 

1  , 

2 

E 

-1  , 

E 

-1  , 

E 

-1 

,E 

-1  , 

0 

rcv_ackl 
snd  data 
snd  ack 

3 
677 
660 

598 

4  , 

0  , 

0  , 

1  , 

4  , 

4 

E 

-1  , 

E 

-1  , 

E 

-1 

,D3 

4  , 

4 

rev  ackl 
rev  data 

608 
609 

208 
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System  State  GRAPH 
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1       Machine  1  Array  Contents           1 

1  From 

To 
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APPENDIX  I  (SCM)  SELECTIVE  REPEAT,  W=l 

INPUT 


start 

machine    1 

state   0 

trans  snd_datal  1 

state  1 

trans    rev   aclcl   2 

state  2 

trans  adv_wi.nl  0 

machine  2 

state  0 

trans  rcv_datal  1 

state  1 

trans  snd_ackl  0 

initial_state  0  0 

finish 


228 


VARIABLE  DEFINITIONS 


package  definitions  is 

type  scm_transition_type   is  (snd_datal,  rcv_datal,  snd_ackl, 

•  rcv_ackl,  adv_winl,  unused); 

type  buffer_type    is  (dl,e,al); 
type  boolean_type    is  (t,f); 

type  buf fer_array_type  is  array (1..1)  of  buffer_type; 
type  boolean_array_type  is  array(L.l)  of  boolean_type; 


type  machinel_state_type  is 
record 

state_number  :  natural 

out_buffer  :  buf fer_array_type 

ack_rec  :  boolean_array_type 

current  :  integer  range  1..1 

end  record; 


=  0; 

=  (others=>dl) 

=  (others=>f ) ; 

=  1; 


type  machine2_state_type  is 
record 

state  number  :  natural 

in_buffer  :  buf fer_array_type 

pkt_rec  :  boolean_array_type 

current  :  integer  range  1 . . 1 

end  record; 


=  0; 

:=  (others=>e) ; 

=  (others->f) ; 

:=  1; 


type  global_variable_type  is 
record 

DATA  :  buffer_type 

end  record; 

end  definitions; 


:=  e; 
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PREDICATE-ACTION 

separate  (main) 

function  Analyze_Predicates_Machinel ( local  :  machinel_state  type; 

GLOBAL:  global_variabre_type)  return  transition 
stack_package. stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  (local. out_buf fer (1)  /=  E)  then 

Push (transition_stack, snd_datal) ; 

end  if; 

if  ( (local. ack_rec(l)=f)  and  GLOBAL. DATA=A1)  then 
Push (transition_stack, rcv_ackl) ; 

end  if; 

Push (transition_stack, adv_winl) ; 

return  transition_stack; 
end  Analyze_Predicates_Machinel; 

separate  (main) 

function  Analyze_Predicates_Machine2 ( local  :  machine2_state_type; 

GLOBAL:  global_variable_type)  return  transition_ 
stack_package. stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  ( (GLOBAL. DATA  =  Dl)  and  ( local .pkt_rec (1) =f) )  then 

Push (transition_stack, rcv_datal) ; 
end  if; 
if  (local. pkt_rec (1) =t)  then 

Push (transition_stack, snd_ackl) ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machine2;  —  this  returned  value  is  then  checked  against  the 
machine  arrays 

--  to  determine  if  indeed  this  transition  can  be 
taken 

separate  (main) 

procedure  Act  ion ( in_system_state   :  in  out  Gstate_record_type; 

in_transit ion     :  in  out  scm_t ransit ion_type; 

out_system_state  :  in  out  Gstate_record_type)  is 

temp  :  integer  :=  0 ; 
begin 

case  ( in_transition)  is 
when  (snd_datal)  => 

out_system_state .GLOBAL_VARIABLES .DATA  := 

in_system_state .machinel_state. out_buf fer ( 1) ; 
when  (rcv_ackl)  => 

out_system_state . machinel_state .ack_rec ( 1 )  :=  t; 
out_system_state .GLOBAL_VARIABLES .DATA  :=  e; 
out_system_state . machinel_state .current  :=  1; 
when  (rcv_datal)  => 

out_system_state.machine2_state. in_buffer (1)  := 

in_system_state .GLOBAL_VARIABLES . DATA; 
out_system_state .GLOBAL_VARIABLES .DATA  :=  e; 
out_system_state .mach ine2_state . pkt_rec ( 1) :=  t ; 
when  (snd_ackl)  => 

out_system_state.GLOBAL_VARIABLES .DATA  :=  al; 
out_system_state .machine2_state . pkt_rec ( 1)  :=  f; 
out_system_stace .machine2_state . in_buf fer ( 1 )  :=  e; 
when  (adv_winl)    => 

out_system_state . ma- 
ch inel_state .ack_rec ( in_system_state .machinel_state.current)  :=  f; 
when  others  => 

put_line ("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 
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OUTPUT  FORMAT 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

put  ("    ["  &  integer' image (tuple .machinel_state.state_number) ) ; 

putC*  , "  &  integer' image (tuple .machine2_state . state_number) ) ; 

put(*  ,  •); 

put (tuple. machinel_state. out_buffer (1) ,  width  =»>  1); 

putC  ,  *); 

put (tuple. machinel_state.ack_rec (1)  ,  width->2) ; 

putC  ,  •); 

put (tuple. machine2_state. in_buffer (1)  ,  width  =>  1); 

put(*  ,  ■); 

put (tuple. machine2_state.pkt_rec (1)  ,  width=>2) ; 

put("  ,  "J  ; 

put  (tuple. GLOBALJ/ARIABLES . DATA,  width  =»2)  ; 

put(«  ]"); 
end  output_Gtuple; 

separate  (main) 

procedure  output_Gtuple_to_f ile (tuple  :  in  out  Gstate_record_type; 

counter  :  in  out  integer)  is 
begin 

put (reach, counter) ; 

put (reach,"    [*  &  integer' image (tuple .machinel_state . state_number) ) ; 

put (reach,"  ,"  &  integer' image (tuple .machine2_state . state_number) ) ; 

put (reach, "  ,  *) ; 

put (reach, tuple. machinel_state .out_buffer ( 1) ,  width  =»>  1); 

put (reach, "  ,  n) ; 

put (reach,  tuple .machine l_st ate .ack_rec (1) , width=>2) ; 

put (reach, "  ,  n) ; 

put (reach, tuple. machine2_state. in_buffer (1) ,  width  =>  1) ; 

put (reach, "  ,  ") ; 

put  (reach,  tuple  .machine2_state  .plct_rec  (1)  ,  width=>2)  ; 

put (reach, "  ,  ■)  ; 

put  (reach, tuple. GLOBAL_VARIABLES. DATA,  width  =>2); 

put  (reach,"  ]"); 

new_line (reach) ; 
end  output_Gtuple_to_f ile; 

separate  (main) 

procedure  output_Gstate_node (Gstate  pointer  :  in  out  Glink_type; 

Error_rlag      :  in  out  boolean)  is 
begin 

output_line_count  :=  output_line_count  .+  1; 
if  ( (output_line_count  mod  10)  =  0)  then 

scroll_p'ause; 
end  if; 

set_col (Gcolumn_set ) ; 

put (Gstate_pointer . system_state_number,  width  =>  3); 
output_Gtuple (Gstate  pointer .Gtuple) ; 

if  ( (Gstate_pointer .Tinkl .Glink  =  null)  and  then  (Gstate_pointer . Iink2 .Gl ink  =  null) 
and  then 

(Gstate_pointer. Iink3 .Glink  =  null)  and  then  (Gstate_pointer . 1 ink4 .Gl ink  =  null)) 
then 

Error_flag  :=  true; 
else 

Error_flag  :=  false; 
end  if; 
end  output  Gstate  node; 
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OUTPUT 

REACHABILITY  ANALYSIS  of  :  sel_rep_wl 

Global  State  GRAPH 

snci  datal  1 

rcv_datal  2 

snd_ackl  3 

rcv_ackl  4 

I  2  ,  0  ,  Dl  ,  T   ,  E  ,  F   ,  E   ]          adv_winl  0 

System  State  GRAPH 
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snd   datal 

[  i  .  o  : 
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rev  datal 

t  i  .  i  : 

1      2 
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[1.1] 

snd   ackl 

[1,0] 
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[1,0] 

rev  ackl 

[2,0] 
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4 

[2,0] 

adv   winl 

[0,0] 

0 

Machine  1  Array  Contents  I 

From   I   To   I   Transition   I  Executed  i 


I  0  I  1  I  snd_datal  I  yes  I 
I  1  I  2  I  rcv_ackl  I  yes  I 
I    2    I    0   I   adv_winl     I    yes     I 


I  Machine  2  Array  Contents  I 

I  From  I   To   I   Transition   I  Executed  I 

I  0  I    1   I   rcv_datal    I    yes  I 

I  1  I    0   I   snd  ackl     I    yes  I 
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APPENDIX  J  (SCM)  SELECTIVE  REPEAT,  W=2 

INPUT  (FSM) 


start 

machine    1 

state   0 

trans  snd_datal  1 

state  1 

trans  rcv_ac)cl  2 

state  2 

trans  adv_wi.nl  0 

machine  2 

state  0 

trans  rcv_datal  1 

state  1 

trans  snd_ackl  0 

initial_state  0  0 

finish 
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VARIABLE  DEFINITIONS 


package  definitions  is 

type  scm_transition_type   is  (snd_data,  rcv_data, 

snd_ack,   rcv_ack, 
adv_winl,  unused) ; 

type  buffer_type    is  (dl,  d2,  e, al, a2)  ; 

type  boolean_type    is  (t,f); 

subtype  ack_buf fer_type  is  buffer_type  range  e..a2; 

subtype  data_buf fer_type  is  buffer_type  range  dl..e; 

type  ack_array_type  is  array (1.. 2)  of  ack_buf fer_type; 
type  data_array_type  is  array (1.. 2)  of  data_buf fer_type; 

type  boolean_array_type  is  array(1..2)  of  boolean_type; 


type  machinel_state_type  is 
record 

state_number  :  natural 

out_buffer  :  data_array_type 

ack_rec  :  boolean_array_type 

current  :  integer  range  1..2 

hold  :  boolean_type 

end  record; 


0; 

(dl,d2>; 
(others=>f) 
1; 
f; 


type  machine2_state_type  is 
record 

state  number     :  natural  :=  0; 

in_buffer         :  data_array_type       :=  (others=>e) 
pkt  rec  :  boolean_array_type    :=  (others=>f)  , 

end  recor3; 


type  global_variable_type  is 
record 

DATA  :  data_array_type 

CONTROL  :  ack_array_type 

end  record; 


:=  (others=>e) ; 
=  (others=>e) ; 


end  definitions; 
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PREDICATE-ACTION 

separate  (main) 

function   Analyze_Predicates_Machinel ( local  :  machinel_state_type; 

GLOBAL:  global_variable_type)  return  transition_- 
stack_package. stack  is 
begin 

MakeEmpty  (transit  ion_stack)  ; 

if  (( (local. hold  =  f)  and  (local .out_buffer (1)  /=  E)  and  (GLOBAL. D ATA ( 1) =E) )  or 

((local. hold  =  f)  and  (local .out_buf fer (2)  /=■  E)  and  (GLOBAL. DATA (2) =E) ) )  then 
Push  (transition_stack, snd_data) ; 
end  if; 
if  (( (local. ack_rec(l)=f)  and  (GLOBAL. CONTROL (1)  =A1))  or 

((local.ack_rec(2)=f)  and  (GLOBAL. CONTROL (2)  =A2)))  then 
Push (transition_stack, rcv_ack) ; 
end  if; 

Push (transition_stack, adv_winl)  ; 
return  transition_stack; 
end  Analyze_Predicates_Machinel; 

separate  (main) 

function  Analyze_Predicates_Machine2 (local  :  machine2_state  type; 

GLOBAL:  global_variable_type)  return  transition_- 
stack_package .stack  is 
begin 

MakeEmpty (transition_stack) ; 

if  (( (GLOBAL. DATA (1)  =  Dl)  and  (GLOBAL. DATA (2)  =■  E)  and  ( local .pkt_rec ( 1) =f) )  or 
( (GLOBAL. DATA (1)  =  E)  and  (GLOBAL. DATA (2)  =  D2)  and  (local .pkt_rec (2) =f ) )  or 
( (GLOBAL. DATA (1)  =  Dl)  and  (GLOBAL. DATA (2 )  =  D2)  and  ( local .pkt_rec (1) =t )  and 

(local. pkt_rec(2) =f) )  or 

( (GLOBAL. DATA (1)  =  Dl)  and  (GLOBAL. DATA (2)  =  D2)  and  ( local .pkt_rec (1) =f)  and 

(local. pkt_rec(2) =f) ) )  then 
Push  (transition_stack, rcv_data) ; 
end  if; 
if  (( (GLOBAL. CONTROL (1)=E)  and  ( local .pkt_rec ( 1) =t) )  or 

( (GLOBAL.CONTROL(2)=E)  and  ( local .pkt_rec (2) =t ) ) )  then 
Push (transit ion_stack, snd_ack) ; 
end  if; 

return  transition_stack; 
end  Analyze_Predicates_Machine2;  --  this  returned  value  is  then  checked  against  the 
machine  arrays 

—  to  determine  if  indeed  this  transition  can  be 
taken 

separate  (main) 

procedure  Action (in_system_state   :  in  out  Gstate_record_type; 

in_t ransit ion     :  in  out  scm_t ransit ion_type; 

out_system_state  :  in  out  Gstate_record_type)  is 

temp  :  integer  :=  0; 
begin 

case  (in_transition)  is 
when  (snd_data)  => 

out_system_state .GLOBAL_VARIABLES . - 
DATA (in_system_st ate . machine l_state. current)  := 

in_system_state . machine l_state. out_- 
buf fer (in_system_state.machinel_state .current) ; 

out_system_state . machinel_state. cur rent  :=  in_system_state. machine l_state. - 
current; 

begin 

case  ( in_system_state .machinel_state . cur  rent )  is 

when  1  => 

out_system_state . machinel_state . current  :=  2; 
when  2  => 

— out_system_state .machinel_state . current  :=  1; 
out_system_state .machinel_state . hold  :=  t ; 
when  others  => 

put_line ("error  in  the  action  procedure"); 
end  case; 
end; 
when  (rcv_ack)  => 

if (in_system_st ate. GLOBAL_VARIABLES. CONTROL (1) =A1)  then 
out_system_state .machinel_state.ack_rec ( 1)  :=  t; 

out_system_state.GLOBAL_VARIABLES. CONTROL (1)  :=  e; 
out  system  state .mach inel  state . cur  rent  :=  1; 
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else 

if  (in_system_state.GLOBAL_VARIABLES.CONTROL(2)=A2)  Chen 
out_system_state .machinel_state .ack_rec (2)  :=  t; 
out_system_state.GLOBAL_VARIABLES. CONTROL (2)  :=  e; 
out_system_state .machinel_state . current  :=  2; 
end  if; 
end  if; 
when  (rcv_data)  => 
if  (in_system_state.GLOBAL_VARIABLES.DATA(l)  =  Dl)  then 
out_system_state.machine2_state.in_buf fer (1)  := 

in_system_state.GLOBAL_VARIABLES.DATA(l) ; 
out_system_state.GLOBAL_VARIABLES.DATA(l)  :=  e; 
out_system_state.machine2_state.pkt_rec (1)  :=  t; 
else 

if  (in_system_state. GLOBAL  VARIABLES .DATA (2)  =■  D2)  then 
out_system_state  .ir.achine2"_state  .  in_buf  fer  (2)  :  = 
in_system_state.GL0BAL_VARIABLES.DATA(2) ; 
out_system_state.GLOBAL_VARIABLES.DATA(2)  :=  e; 
out_system_state .machine2_state . pkt_rec (2) :=  t; 
end  if; 
end  if; 
when  isnd_ack)  => 

if  (in_system_state .machine2_state .pkt_rec ^1)  =t)  then 

out_system_state.GLOBAL_VARIABLES.CONTROL(l)  :=  al; 
out_system_state .machine2_state .pkt_rec ( 1)  :=  f; 

out_system_state .machine2_state . in_buf fer (1)  :=  e; 
else 
if  ( in_system_state ,machine2_state .pkt_rec (2) =t )  then 

out_system_state.GLOBAL_VARIABLES.CONTROL(2)  :=  a2; 
out_system_state .machine2_state .pkt_rec (2)  :=  f; 
out_system_state.machine2_state . in_buf fer (2)  :=  e; 
end  if; 
end  if; 
when  (adv_winl)    => 
if  ( ( in_system_state .machinel_state .ack_rec (1)  =t)  and 
(in_system_state.machinel_state.ack  rec(2)=f)  and 
(in_system_state.machinel_state.hol3  =  t)  and 
( in_system_state . machinel_state .current  =  1)  and 
(in_system_state.GLOBAL_VARIABLES.DATA(l)  =  E)  and 
(in_system_state.GL0BAL_VARIABLES.DATA(2)  =  02))  then 
out_system_state . machine l_state . ack_rec ( 1)  :=f ; 
out_system_state . machine l_state . ack_rec (2)  :  =  f  ; 
out_system_state . machine l_state. ho  Id  :  =  f; 
out_system_state . machine l_st ate . current  :=2; 
out_system_state.GLOBAL_VARIABLES.DATA(l)  :=  Dl; 
out_system_state.GL0BAL_VARIABLES.DATA(2)  :=  E; 

elsif 

( ( in_system_state . machine l_state .ack_rec (1) =t )  and 
(in_system_state .machinel_state.ack_rec(2) =f)  and 
( in_system_state .machinel_state . hold  =  t)  and 
( in_system_state .machinel_state . current  =  1)  and 
( in_system_state .machine2_state . in_buf fer ( 1)  =  E)  and 
( in_system_scate . machine2_state . in_buf fer (2)  =  D2)  and 
( in_system_state .mach ine2_state . pkt_rec ( 1)  =  f)  and 
( in_system_state .machine2_state .pkt_rec (2 )  =  t))  then 

out_system_state .machine l_state.ack_rec(l)  :=f; 

out_system_state .machinel_state. ack_rec (2)  : =f  ; 

out_system_state .machinel_state.hold  :=f; 

out_system_state. ma chinel_state. current  :=2; 

out_system_state .machine2_state . in_buf fer ( 1 )  :=  Dl; 

out_system_state .machine2_state . in_buf fer (2 )  :=  E; 

out_system_state .machine2_state . pkt_rec ( 1)  :=  t; 

out_system_state ,machine2_state .pkt_rec (2 )  :=  f; 
elsif 

( (in_system_state .machinel_state .ack_rec (1) =t )  and 
( in_system_state . machine l_state .ack_rec (2)  =f )  and 
( in_system_state .machinel_state . ho  Id  =  t)  and 
( in_system_state .machinel_state .cur  rent  =  1)  and 
(in_system_state.GLOBAL_VARIABLES. CONTROL (1)  =  E)  and 
(in_system_state.GL0BAL_VARIABLES.C0NTR0L(2_)  =  A2))  then 

out_system_state.machinel_state.ack_rec (1)  :=f; 

out_system_state .machinel_state.ack_rec(2)  :=f; 

out_system_state .machinel_state.hold  :=f; 

out_system_scace . mach inel_st ate .current  : =2; 

out  system  state. GLOBAL  VARIABLES .CONTROL ( 1 )  :=  Al; 
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out_system_state.GL0BAL_VARIABLES.C0NTR0L(2)  :=  E; 
else 

if  ( (in_system_state .machinel_state . ack_rec ( 1) =t )  and 

(in_system_state.GL0BAL_VARIABLES.DATA(2) /-E) )  then 
out_system_state .machinel_staCe .hold  :=  t; 
elsif  ( (in_system_state.machinel_state .ack_rec (1) =t)  and 
(in_system_state . machine l_st ate . ack_rec (2) =f )  and 
(in_system_state.GL0BAL_VARIABLES.DATA(2) =E) )  then 
out_system_state.machinel_state.ack_rec (1)  :=  f; 
elsif  ( (in_system_state .machinel_state .ack_rec (1) =f )  and 
(in_system_state .machinel_state . ack_rec (2)  =t)  and 
(in_system_state .machinel_state .hold  =  t) )  then 

out_system_state.machinel_state.ack  rec(2)  :=  f; 
out_system_state.machinel_state.hol3  :=  f; 
else 

if  ( (in_system_state .machinel_state ,ack_rec (1) =t )  and 
(in_system_state .machinel_state.ack_rec (2) =t)  and 
(in_system_state.GLOBAL_VARIABLES.DATA(l)  =E)  and 
(in_system_state.GL0BAL_VARIABLES.DATA(2)=E) )  then 
out_system_state .machinel_state .hold  :=  f; 
out_system_state.machinel_state .ack_rec (1)  :=  f; 
out_system_state .machinel_state .ack_rec (2)  :=  f; 
end  if; 
end  if; 

out  system_state.machinel_state. current  :=  1; 
end"  if; 
when  others  »> 

put_line ("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 
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OUTPUT  FORMAT 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 


put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 


*  ["  &  integer' image (tuple .machinel_state . state_number) ) ; 

*  , "  &  integer' image (tuple .machine2_state . state_number) ) ; 

m  *  \   . 

tuple. machinel  state. out_buf fer (1) ,  width  =>  2); 

t      It 

tuple. machinel_state.out_buf fer (2)  ,  width  =>  2); 

*  * )  • 

tuple. machinel_state.ack_rec (1) , width=>l) ; 

•,-); 

tuple . machine l_state .  ack_rec (2)  ,  width=>l)  ; 
tuple. machinel_state. hold,  width=>l) ; 
tuple. machine2  state. in_buf fer (1) ,  width  =>  2)  ; 
tuple. machine2  state. in_buf fer (2) ,  width  =>  2)  ; 

«  m  \   . 
t      If 

tuple. machine2_state .pkt_rec (1) ,width=>l) ; 

i    it 
tuple .machine2_state .pkt_rec (2)  ,  width=>l) ; 
«  tt  \   . 

tuple. GL0BAL_VARIABLES.DATA(1)  ,  width  =>2)  ; 

*  *); 

tuple.GL0BAL_VARIABLES.DATA(2)  ,  width  =>2); 

tuple. GLOBAL_VARIABLES. CONTROL (1)  ,  width  =>2)  ; 

tuple. GLOBAL_VARIABLES. CONTROL (2)  ,  width  =>2); 
«  »t  . 

tuple.machinel_state .current, width=>l) ; 

«  ]"); 


end  output  Gtuple; 

separate  (main) 

procedure  outpuc_Gtuple_to_f ile (tuple  :  in  out  Gscate_record_type; 

counter  :  in  out  integer)  is 
begin 

put (reach, counter) ; 

put(reach,"    [*  &  integer' image (tuple .machinel_state . state_number ) ) 

put (reach, ", "  &  integer' image (tuple. machine2_state. state_number ) ) ; 

put  (reach, ",") ; 

put (reach, tuple .machinel_state .out_buf fer ( 1) ,  width  =>  1) ; 

put (reach, ", ")  ; 

put (reach, tuple .machinel_state.out_buf fer (2)  ,  width  =>  1); 

put (reach, ",  ")  ; 

put (reach,  tuple.machinel_state .ack_rec  (1) ,width=>l) ; 

put (reach, ",  ")  ; 

put (reach, tuple.machinel_state .ack_rec (2) , width=>l) ; 

put (reach, ", ")  ; 

put (reach, tuple .machine2_scate . in_buf fer  ( 1 ) ,  width  =>  1) ; 

put (reach, ",  ")  ; 

put (reach, tuple .machine2_state . in_buf fer (2) ,  width  =>  1); 

put ( reach,  " ,")  : 

put  (  reach,  tuple  .machine2_state  .pkt_rec  (1)  ,  width  =  >l)'; 

put (reach, ", ") ; 

put (reach, tuple .machine2_state .pkt_rec(2) , width=>l) ; 

put (reach, " ,") ; 

put (reach, tuple. GLOBAL_VARIABLES. DATA(l) ,  width  =>1); 

put (reach, "  ] ")  ; 

new_line ( reach) ; 
end  output_Gtuple  to  file; 


separate  (main) 

procedure  output_Gstate_node (Gstate_po inter  :  in  out  Glin,k_type; 

Error_flag      :  in  out  boolean)  is 
begin 

output_l ine_count  :=  output  line_count  *  1; 
if  ( (output_l ine_count  mod  TO)  =  0)  then 
scroll  pause; 
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end  if; 

set_col (Gcolumn_set) ; 

put (Gstate_pointer . system_state_number/  width  =>  3); 
output_G tuple (Gstate_po inter .Gtuple) ; 

if  (  (Gstate_pointer. linkl .Glink  =  null)  and  then  (Gstate_pointer . Iin)c2 .Glink  =  null) 
and  then 

(Gstate_pointer . Iink3 .Glink  =  null)  and  then  (Gstate_pointer . Iink4 .Glink  ■  null)) 
then 

Error_flag  :=  true; 
else 

Error_flag  :=  false; 
end  if; 
end  output_Gstate_node; 
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REACHABILITY  ANALYSIS  of  :  sel  rep  w2 
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